Hello we are experiecing issues with windows 2000 machines hanging at the loginscreen with the HIPS firewall enabled. Machines work wit HIPS IPS on but not with both IPS and Firewall enabled. Trying to work with McAfee Gold support on this one haven't found a resolution other than to completely disable HIPS services or not enforce firewall. Firewall rules and options work fine on XP systems. Is there something that Windows 2000 machines just don't like with HIPS PFW? I'm at a dead lock on this one and would like URGENT Help
since the default is for FW to be off, I'll assume you've played around with HIPs policies in ePO
disable the FW or whatever you do to get the windows 2000 to be accessible.
set HIPs\General\Client UI troubleshooting tab policy for the test system to enable DEBUG logging for firewall.
do agent wakup to enforce(make sure local system's HIPs console is closed)
now turn the FW back on and reboot and try to login. When it gets hung, note the time. See if you can map to the test system from another system
go to C:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention
or you might need to boot to safemode and get the log.
attach here the firesvc.log, let me know the time it hung, and we can try to figure it out together.
also try setting the FW Options to 'learn mode' and see if there is a block prompt telling you what it is.
also attach an exported copy of your FW rules( if you want to). and i can try to reproduce it.
Message was edited by: dvo on 12/1/09 9:05 AMMessage was edited by: dvo on 12/1/09 9:32 AM
I can't post the firesvc log up ... mcafee gold support recommended that i do what you stated. I have uploaded the logs in that ticket as they are confidential...so if you could look at that ticket number and get the logs...
Message was edited by: sphorton on 12/1/09 9:37 AMMessage was edited by: sphorton on 12/1/09 9:39 AM
Not a known issue that I know of...
However, I would have tried a couple things:
1) allow the option for unsupported protocols in the Firewall policy. (KB53191 in McAfee Knowledge Base) I haven't worked a W2K case in a while but the OS could have some funky non-IP traffic that the HIP fw is dropping in the bit bucket because we don;t recognize it. This is most likely the case.
2) run the firewall in adaptive mode to see if any new rules needed to be created.