2 Replies Latest reply on Jan 6, 2015 11:33 AM by Kary Tankink

    HIPS Firewall Events in ePO

    mmalagni

      Hello All,

       

      I just need a confirmation that in ePO is not possible to see any HIPS Firewall activities.

       

      My customer would like to see only blocks activities in the Threat Events but as far as I know, this is not possible.

       

      Can you please confirm?

       

      Thanks a lot

       

      Matteo

        • 1. Re: HIPS Firewall Events in ePO
          drliv1980

          It is possible to configure the HIPS FW to send events back to ePO but it's on a rule by rule basis.  I would never recommend that all rules be configured to send events back to ePO unless you want to see fireworks.

          • 2. Re: HIPS Firewall Events in ePO
            Kary Tankink

            It is not possible to get HIPS Firewall events to ePO. 

             

            When you mark a Firewall as "Treat as Intrusion", you're actually triggering a Network IPS Signature 3702 event violation (and if the IPS Option  "Automatically block network intruders for X minutes" is enabled, can block the offending IP address).  This requires this signature and Network IPS to be enabled.  An intrusion event and Firewall activity event (in the HIPS ClientUI Activity log) are similar, but they do not contain all the same information.  This also only works for BLOCKED FW rules too; there is no way to log ALLOW events in the Firewall.  If you're trying to gather Firewall activity log events (BLOCK and/or ALLOW) to the ePO server, it is not possible in Host IPS 7 or 8.