Host IPS does not have the ability to send Firewall traffic (allowed or blocked) to the ePO server. The "Mark as Intrusion" option just marks the blocked firewall traffic to trigger Network IPS signature 3702.
The big issue is we are required to monitor all traffic going in or out on a daily basis and there is no way sift though 3-50 IPs per machine per day when we are dealing with thousands of systems.
There is no functionality to monitor traffic going in/out of the system using the Host IPS/ePO products. Firewall event traffic is only stored locally in the HIPS Activity log. Using the "Intrusion" mechanism is not an accurate (nor suggested) way to monitor firewall traffic; it also doesn't include all firewall activity details.
Sure, but if you mark it as an intrusion it gives you the ability to create an Automatic Response based on that event and then you can review the alerts.
It is not ideal but we are required to monitor "Firewall Logs" to meet PCI compliance.
We were sold HIPS in an ePO package as a PCI solution for security and now we are coming up on our audit. I am hoping to pass this solution off as a compensating control for not having adequate firewall logging.
How can McAfee claim that the firewall is PCI complaint when it does not support firewall logging?