cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS blocks outgoing traffic as incoming

We are seeing some random issues on a handful of our servers, at different times.  The issues have the same behavior: HIPS starts blocking outgoing connections(Database, DNS, etc).  When checking the HIPS logs it shows the traffic pattern as backwards.

For example we have a web server(Windows 2012R2 virtual), all outgoing traffic is allowed.  It can normally make a call to our database server(Windows 200R2 - no firewall).  Source port on the web server is a random high port, destination port on the SQL server is 1433.  When the issue is occurring we see logs similar to below(I masked the IP):

Time: 06/07/2018 10:25:25 PM
Event: Traffic
IP Address: XXX.XXX.XXX.134
Description:
Path:
Message: Blocked Incoming TCP - Source XXX.XXX.XXX.134 : (1433) Destination XXX.XXX.XXX.148 : (60354)
Matched Rule: Block all traffic

 

As you can see this appears to be seeing the connection as initiating from the SQL server.  Once we rebooted the web server everything was back to normal.  This happens on 2-3 servers at random times.  I figure one of 2 things is happening: 1) McAfee has an issue where it sees outgoing traffic as incoming. 2) The return connection from the destination is being seen as a new connection, rather than open.

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community