cancel
Showing results for 
Search instead for 
Did you mean: 
hheesch
Level 7

Firewall blocking all incoming after network adapter switch

Our HIPS 7 is blocking all incoming connections after switching from network / network card.

We disable wireless when connected to cable and enable wireless again when disconnecting the cable.

On a regular base, not always, the firewall allows all traffic out (like a rules tells it to) but blocks the answers coming from the remote systems.

It seems it is not acting state full.

Any known challenges on this?

0 Kudos
7 Replies
exbrit
Level 21

Re: Firewall blocking all incoming after network adapter switch

Moved to HIPs for better attention.

0 Kudos
McAfee Employee

Re: Firewall blocking all incoming after network adapter switch

Our HIPS 7 is blocking all incoming connections after switching from network / network card.


Does this still happen if the HIPS Firewall is disabled?   It might be a firewall rule issue.

On a regular base, not always, the firewall allows all traffic out (like a rules tells it to) but blocks the answers coming from the remote systems.

It seems it is not acting state full.

We've seen this issue before and typically it's caused by a return packet for a connection that is already closed.  Are you seeing any issues due to this blocked incoming traffic?

The issues you see might be configuration issues, but if possible, I would suggest upgrading to HIPS 8.0 Patch 2 Hotfix 803520 and retesting.

0 Kudos
hheesch
Level 7

Re: Firewall blocking all incoming after network adapter switch

Hi,

Sorry for the repsonse delay.

No, the issues vanish when HIPS is disabled and yes, it seems all incoming traffic is blocked.

Other strange part in here is that is seems in the logging that f.e. the ping reply comes before the request. To avoid a 'wrong' rule my client is back to 6 rules.

1 block for  possible virus/worm on specific ports

1 allow all protocols outbound

4 rules explicitly allowing inbound on vnc, rdp, echo request, ms-ds (all tcp) and inbond dns (udp)

1 rule allow all inbound from out datacenter networks

Attached the image of the fw log. First cleared log then started an outbound ping to my router. First you see the incoming ICMP then the outbond.

Seems to me this is in the wrong order.

fw_log_ICMP_mess.PNG

0 Kudos
McAfee Employee

Re: Firewall blocking all incoming after network adapter switch

There have been issues we've seen with log events occurring in the HIPS Activity log (out of sequence logging, reset packets causing BLOCKs before ALLOWs, etc.)

If you're still having an issue, I would suggest opening a Service Request with McAfee Support to have it looked at further.  Have you tested HIPS 8.0 in this environment to see if it still has the issue?  There have been firewall architecture changes that might affect the issues you are seeing.

0 Kudos
hheesch
Level 7

Re: Firewall blocking all incoming after network adapter switch

Not yet  tested 8.0.

I will if we have it present for (test) deployment. Might take some days for the next response on this thouhg. Issues are not consistent nor can we simulation them. They just occur.

0 Kudos

Re: Firewall blocking all incoming after network adapter switch

Since HIPS firewall works as a adaptive routing technique, i would recommend you to look the HIPS rules once again that you have created, if TCP/IP blocked is the first rule in your firewall rule, it will block all the traffice even if you have a created a rule after it.

If problem still persist let me know if it's happening on all the systems on which you have applied the same policy.

0 Kudos
hheesch
Level 7

Re: Firewall blocking all incoming after network adapter switch

Thanks for your answer.

The issue seems to appear (show itself) only on the HP 8470p and HP8570w (70-series).

It happes with a rule list of > 80 rules and with a cleaned-up list of 6 rules. (major clean-up but it might be more in the end).

If I look at our lenovo or even the HP 60-series the issue does not show.

Only thing different seems the model name and with that a faster processor.

So regardless of the policy is happens although a lot less when having the 6 rules activated instead of the 80+ list.

If HIPS service is disabled it works ok.

0 Kudos