cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Linuxxo
Level 11
Report Inappropriate Content
Message 1 of 9
‎07-06-2020 06:22 AM

FW in Adaptive Mode and reporting

Jump to solution

Hello,

I have enabled the FW policy with adaptive mode enabled for a small number of system, however I am unable to find any reports/logs related to those systems. I have tried to run reports related to the FW, but they are all empty. Am I missing something here? Or is there a chance that the FW in adaptive mode did not automatically created any rules?

Thanks

0 Kudos
Reply
1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 9 of 9
‎07-14-2020 05:14 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

By Default, all the firewall events will not be sent back to the epo because of high bandwidth. But you can get the adaptive rules created on the client machine back to the epo by following below instructions.

---------------------------------------------

1)Once the adaptive rules are created under ENSFW on the client machine.

2)Then click on collect and send properties on the Agent monitor on the client machine so that the adaptive rules are sent back to epo.

3)On EPO console you can run the server task "Endpoint Security Firewall Property Translator" so that the rules created on the client machine are listed under epo.

4)Then you have to goto the "Menu>>>Reporting>>>Firewall Client Rules" and then select the rules and add to the policies. After following these steps if you have any queries, let us know.

---------------------------------------------

View solution in original post

Reply
8 Replies
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 2 of 9
‎07-06-2020 07:06 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

Hello @Linuxxo 

May I ask you to check:

"Menu -> Reporting -> Host IPS 8.0 -> Firewall Client Rules (Tab)"

and let me know if anything is reported there? Please make sure to have proper nodes selected in "System Tree" and also corresponding "Preset:".

Also if it is nothing there, may I ask you to go to:

"Menu -> Automation -> Server Tasks"

and run "Host IPS 8.0 Property Translator" and check above section again.

Please let me know if the issue persists.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
Linuxxo
Level 11
Report Inappropriate Content
Message 3 of 9
‎07-06-2020 07:44 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

Hi and many thanks for your reply. Unfortunately I do not have any of the options you have mentioned for the Host IPS. I am still using ePO version 5.9.1 and the only thing I have found that is related to the FW under Server Tasks, is the "Endpoint Security Firewall Property Translator", which is currently disabled.

0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 4 of 9
‎07-06-2020 08:16 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

Hello @Linuxxo 

Thank you for your reply.

May I ask you which point product are you using?

You posted in HIPs section of the forum so I assumed you are using HIPs Firewall.

Are you using HIPs of ENS Firewall?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
Linuxxo
Level 11
Report Inappropriate Content
Message 5 of 9
‎07-06-2020 08:34 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

Apologies for that, I have just realised that I ended posting in the wrong group. I am using the ePO and wants to enable the FW for the ENS.

0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 6 of 9
‎07-06-2020 09:24 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

 Hello @Linuxxo 


In that case "Adaptive Rules" should be reported under:

"Menu -> Reporting -> Firewall Client Rules"

and if they are not there you may execute "Endpoint Security Firewall Property Translator".

Also, in order for ENSFW rules to be reported, please make sure to have also checked "Retain existing user-added rules and Adaptive mode rules when this policy is enforced" in "Endpoint Security Firewall :Firewall > Options > Name_of_your_policy" as long as you are using "Adaptive Mode" otherwise all "Adaptive Rules" that are created will be cleaned up during every policy enforcement and if they are not on the machine, they will not be listed in ePO either. 

I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 7 of 9
‎07-06-2020 11:39 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

Verify that the system node (in the ePO server console) actually has client rules to process (ref KB58949; the concept applies to ENSFW as well; slightly different menus though).  In the HIPS/ENS Firewall node properties, you should see "Client firewall rules ###" under the Client Policy section.  Once you see this, the ENS Firewall Property Translator task will run (automatically every 15min; or run the ePO Server task manually if you don't want to wait (leave the task in DISABLE status though)) to convert these node property rules to ePO-managable rules in the Firewall Client Rules menu.

The McAfee Agent policy option "Retrieve all system and product properties (recommended). If unchecked retrieve only a subset of properties" must be enable to retrieve these client rules from the ENS/HIPS FW client.

fwclientrules.jpg

0 Kudos
Reply
Linuxxo
Level 11
Report Inappropriate Content
Message 8 of 9
‎07-14-2020 12:55 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

Everything seems to be in order now, but the reports are always empty. I assume that the user's activity is not triggering any FW rules. I wonder if there is a way to manually test the FW and trigger some events.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 9 of 9
‎07-14-2020 05:14 AM

Re: FW in Adaptive Mode and reporting

Jump to solution

By Default, all the firewall events will not be sent back to the epo because of high bandwidth. But you can get the adaptive rules created on the client machine back to the epo by following below instructions.

---------------------------------------------

1)Once the adaptive rules are created under ENSFW on the client machine.

2)Then click on collect and send properties on the Agent monitor on the client machine so that the adaptive rules are sent back to epo.

3)On EPO console you can run the server task "Endpoint Security Firewall Property Translator" so that the rules created on the client machine are listed under epo.

4)Then you have to goto the "Menu>>>Reporting>>>Firewall Client Rules" and then select the rules and add to the policies. After following these steps if you have any queries, let us know.

---------------------------------------------

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC