Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 9467 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Find Local Address for a Firewall event

MoltenArrow

When reviewing firewall events, specifically "No Application Rule" type, the console reports information based on the remote address but not the local address. This information would be extremely helpful to determine which AD OU that the machine which triggered the event lives in and correspondingly which Firewall policy is applied to it.  Is there anyway to determine this?

Enpoint: 10.0

Enterprise Console: 5.2.1.197

:43463


This thread was automatically locked due to age.
  • 0

    Hello MoltenArrow,

    guess one reason that this column doesn't exist is that the Event Viewer groups "identical" events (both for clearer representation and usability - although there is a local address attribute in the rules you can't configure it, it would make sense only in a locally administered rule, not a group's policy), another that it is not always meaningful - apart from localhost and broadcast addresses it could as well be any (0.0.0.0).

    For now all you can do is to use  a customized Alert and event history report, deselect all types but Firewall under Configuration, perhaps sorting (under Display Options) them by Group name .

    HTH

    Christian

    :43499
  • 0

    That helped tremendously!  Now I just have to figure out why "no application rule" events are being created for user that has a policy with an application rule 

    :43519
  • 0
    Hello MoltenArrow,

    glad it helped. Feel free to ask if you need assistance solving the "why" (just in case - do you use dual location?).

    Christian
    :43529
  • 0

    I was going to start a new topic but I suppose this is as good a place as any.  First and foremost, can you elaborate on what you mean by "Dual Location"?  If you're referring to location aware rules, we are not using them.  

    I have adjusted ALL of my firewall policies to have Firefox.exe, chrome.exe, and iexplore.exe listed as trusted.  This would be logical to me to have created an "Application rule".  The issue is that some users, that report as being policy compliant, are triggering "No Application Rule" events in the console.  I checked one of the local firewall logs and sure enough they are showing up in the "no application rule" log instead of the allow log.  Any suggestions as to why this might be happening?

    :43531
  • 0

    Hello MoltenArrow,

    location aware rules

    yes, was referring to them.

    some users, that report as being policy compliant, are triggering "No Application Rule"

    just nitpicking: policies apply to computers, not users.

    I assume you are using Block by default - but then, don't the users complain (asking because you did not mention it)? What do you do to unblock the browser - or is it an intermittent problem? Trust is a rule - did you check that it is correctly set on the client?

    Haven't heard of such an issue ... all I can think of is that the policy on the endpoint does not (yet) comply when the browser is opened.

    Christian 

    :43553
  • 0

    Sorry with regard to the users/computers, the computers are reporting "Same as policy" but are still logging "no application rule" events... even locally.  We are currently using Allow by default but are trying to generate a ruleset to be able to move to Block seamlessly from the end user perspective.  I'm going to open a formal ticket on this one because it's pretty clear that it's not behaving as it should.  Thanks for being the souding board.

    :43555
  • 0

    Hello MoltenArrow,

    please follow up with the results.

    One thing to try would be creating an rule from one of the events using the event viewer and check if something has changed under the applications tab. Shouldn't be the case for a trusted application
    .

    Christian

    :43557