Find Local Address for a Firewall event

Question

When reviewing firewall events, specifically "No Application Rule" type, the console reports information based on the remote address but not the local address. This information would be extremely helpful to determine which AD OU that the machine which triggered the event lives in and correspondingly which Firewall policy is applied to it. Is there anyway to determine this?

Enpoint: 10.0

Enterprise Console: 5.2.1.197

This thread was automatically locked due to age.

QC · Accepted Answer

Hello MoltenArrow, guess one reason that this column doesn't exist is that the Event Viewer groups "identical" events (both for clearer representation and usability - although there is a local address attribute in the rules you can't configure it, it would make sense only in a locally administered rule, not a group's policy), another that it is not always meaningful - apart from localhost and broadcast addresses it could as well be any (0.0.0.0). For now all you can do is to use  a customized Alert and event history report, deselect all types but Firewall under Configuration , perhaps sorting (under Display Options ) them by Group name . HTH Christian :43499