cancel
Showing results for 
Search instead for 
Did you mean: 
kink80
Level 12

HIPS 8.0 P2 default action

We have some machines running HIPS 8.0 P2 that are blocking access to our organizations main website at certain seemingly sporadic times. I can see its IP address being blocked in the HIPS logs. When we disable the HIPS firewall the user is able to navigate to the site with no issues. If you turn HIPS firewall back on it go back to blocking it. As I said this does not happen all the time just some of the time which makes this issue hard to track. My question is if one of the machines in question is getting "overwhelmed" with network traffic does HIPS ever stop processing the policy applied rules and just start to block everything under the "Block All Traffic" rule? This seems to be what is happening. If we turn HIPS off and allow the ePO policy to turn it back on when our policy enforcement task runs it seems to correct itself and work while HIPS id turned on. Anyone ever seen something like this? Thanks in advance.

0 Kudos
3 Replies
greatscott
Level 12

Re: HIPS 8.0 P2 default action

what sort of traffic is blocked? just typical port 80 traffic?

We have seen an issue where an "allow all" rule will not permit LDAP 389 traffic at random intervals. We can see the blocks recorded in the activity log. Are you using Connection Aware Groups (CAGs)?

0 Kudos
adomaeo
Level 7

Re: HIPS 8.0 P2 default action

Can we circle back to this one.  I'm having issues with laptops not being able to authenticate to our servers.  The logs show multiple error regarding TCP, "Blocked Outgoing TCP"  ldap 389 and epmap 135.   

0 Kudos
greatscott
Level 12

Re: HIPS 8.0 P2 default action

What does your firewall rules policy look like? Are you using any connection/location aware groups? Have you confirmed that disabling the firewall restores communication?

0 Kudos