Firewall Learn and Adaptive modes

When you enable the firewall feature, Host Intrusion Prevention continually monitors the network traffic that a computer sends and receives. It allows or blocks traffic based on the Firewall Rules policy. If the traffic cannot be matched against an existing rule, it is automatically blocked unless the firewall’s Learn mode or Adaptive mode is enabled.

You can enable Learn mode for incoming communication only, for outgoing communication only, or both.

In Learn mode, Host Intrusion Prevention displays a Learn mode alert when it intercepts unknown network traffic. This alert dialog box prompts the user to Allow or Block any traffic that does not match an existing rule, and automatically creates corresponding dynamic rules for the non-matching traffic.

In Adaptive mode, Host Intrusion Prevention automatically creates a Permit rule to allow all traffic that does not match any existing Block rule, and automatically creates dynamic Allow rules for non-matching traffic.

For security reasons, however, in both the Learn mode and Adaptive mode, incoming pings are blocked unless an explicit Permit rule is created for incoming ICMP traffic. In addition, incoming traffic to a port that is not open on the host will be blocked unless an explicit Permit rule is created for the traffic. For example, if the host has not started telnet service, incoming TCP traffic to port 23 (telnet) will be blocked even when there is no explicit rule to block this traffic. You can create an explicit Permit rule for any desired traffic.

Host Intrusion Prevention displays all the rules created on clients through Learn Mode or Adaptive Mode and allows these rules to be saved and migrated to administrative rules.

Copyright © 2006 McAfee, Inc. All Rights Reserved.