Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 9469 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Find Local Address for a Firewall event

MoltenArrow

When reviewing firewall events, specifically "No Application Rule" type, the console reports information based on the remote address but not the local address. This information would be extremely helpful to determine which AD OU that the machine which triggered the event lives in and correspondingly which Firewall policy is applied to it.  Is there anyway to determine this?

Enpoint: 10.0

Enterprise Console: 5.2.1.197

:43463


This thread was automatically locked due to age.
Parents
  • 0

    Hello MoltenArrow,

    guess one reason that this column doesn't exist is that the Event Viewer groups "identical" events (both for clearer representation and usability - although there is a local address attribute in the rules you can't configure it, it would make sense only in a locally administered rule, not a group's policy), another that it is not always meaningful - apart from localhost and broadcast addresses it could as well be any (0.0.0.0).

    For now all you can do is to use  a customized Alert and event history report, deselect all types but Firewall under Configuration, perhaps sorting (under Display Options) them by Group name .

    HTH

    Christian

    :43499
Reply
  • 0

    Hello MoltenArrow,

    guess one reason that this column doesn't exist is that the Event Viewer groups "identical" events (both for clearer representation and usability - although there is a local address attribute in the rules you can't configure it, it would make sense only in a locally administered rule, not a group's policy), another that it is not always meaningful - apart from localhost and broadcast addresses it could as well be any (0.0.0.0).

    For now all you can do is to use  a customized Alert and event history report, deselect all types but Firewall under Configuration, perhaps sorting (under Display Options) them by Group name .

    HTH

    Christian

    :43499
Children
No Data