cancel
Showing results for 
Search instead for 
Did you mean: 
ninjaneer68
Level 10

HIPS 8 FW blocking VMDIRD.EXE

With in the VMware 5.5 vSphere server, HIPS FW is blocking the VMDIRD.exe from starting during a reboot, or it takes about 40-60 minutes for it to start. I can see in the HIPS FW Logs that it is being blocked. I am having troubles trying to figure out the FW rule to allow the service to start with out any issues

Has anyone else seen his or can assist in what they did to get the rule to stop inferring with the start up of this service ??

Below is what I am seeing in the logs

Time: 6/23/2015 3:10:09 AM
Event: Traffic
IP Address/User: 127.0.0.1
Description: VMware Directory Service (vmdird)
Path: D:\Program Files\VMware\Infrastructure\VMware\cis\vmdird\vmdird.exe
Message: Blocked Incoming TCP -  Source 127.0.0.1 :  (60054)  Destination 127.0.0.171 :  (50001)
Matched Rule:vCenter CAG/LAG Rules
0 Kudos
3 Replies
ninjaneer68
Level 10

Re: HIPS 8 FW blocking VMDIRD.EXE

After looking at the FW rules set for the vCenter I had the below entries set to allow for loop back

local networks

::1

127.0.0.1

127.0.0.1/8

I didn't have anything set for local loop back on the remote network side with in the FW rule. I went and edited the rule and for remote network with in the allow loop back rule, I added the above but with in the remote network.

Restart the vSphere server and the VMDIRD server stop hanging.

When the rule talk about the remote networks,I take it for the rule destination is the IP the application is attempting to reach, which it doesn't matter if its local to the box or not ?

0 Kudos
c14us
Level 7

Re: HIPS 8 FW blocking VMDIRD.EXE

Hi

The loopback rules was removed from HIPS in one of the older SP (sp2 I think). If you need them (most will), you need to create yourself (as you just did)

Regards

Claus

McAfee Employee

Re: HIPS 8 FW blocking VMDIRD.EXE

For your reference, see below.  It is suggested to have the ALLOW LOOPBACK rule at the top of the firewall rule policy.  You will also need to modify it for non-standard 127.x.x.x IP addresses, if needed, as your blocked network traffic example shows above.

KB71230 - Host Intrusion Prevention 8.0 Loopback traffic blocked when firewall is enabled