Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 9469 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Find Local Address for a Firewall event

MoltenArrow

When reviewing firewall events, specifically "No Application Rule" type, the console reports information based on the remote address but not the local address. This information would be extremely helpful to determine which AD OU that the machine which triggered the event lives in and correspondingly which Firewall policy is applied to it.  Is there anyway to determine this?

Enpoint: 10.0

Enterprise Console: 5.2.1.197

:43463


This thread was automatically locked due to age.
Parents
  • 0

    I was going to start a new topic but I suppose this is as good a place as any.  First and foremost, can you elaborate on what you mean by "Dual Location"?  If you're referring to location aware rules, we are not using them.  

    I have adjusted ALL of my firewall policies to have Firefox.exe, chrome.exe, and iexplore.exe listed as trusted.  This would be logical to me to have created an "Application rule".  The issue is that some users, that report as being policy compliant, are triggering "No Application Rule" events in the console.  I checked one of the local firewall logs and sure enough they are showing up in the "no application rule" log instead of the allow log.  Any suggestions as to why this might be happening?

    :43531
Reply
  • 0

    I was going to start a new topic but I suppose this is as good a place as any.  First and foremost, can you elaborate on what you mean by "Dual Location"?  If you're referring to location aware rules, we are not using them.  

    I have adjusted ALL of my firewall policies to have Firefox.exe, chrome.exe, and iexplore.exe listed as trusted.  This would be logical to me to have created an "Application rule".  The issue is that some users, that report as being policy compliant, are triggering "No Application Rule" events in the console.  I checked one of the local firewall logs and sure enough they are showing up in the "no application rule" log instead of the allow log.  Any suggestions as to why this might be happening?

    :43531
Children
No Data