One of my internal application is blocked by HIPS , but logs shows only blocked incoming UDP on Bootps port 67 and 68 . default rules has already allows these port but still seeing below error from the logs; Could you please advise how to process with this error . Adaptive Mode was enabled but still have the issue. Allow bootp rule is attached .
0/09/2014 11:18:12 FireCore.cpp VERBOSE (3228) handleNotificationEventLog() - traffic event received:
Mode = traffic
Process id = 0
Event type = FW_LOG_EVENT_TYPE_TRAFFIC
Direction = FW_DIRECTION_INBOUND
Action = FW_ACTION_BLOCK_PACKET
Source port = 68
Dest port = 67
Ip protocol = 17
Ethernet type = 0x800
Process path =
Local ip addr = 255.255.255.255
Remote ip addr = 10.xx.xx.xx
Source MAC = 00-9c-02-1a-67-9e-00-00
Dest MAC = ff-ff-ff-ff-ff-ff-00-00
10/09/2014 11:18:12 FireCore.cpp VERBOSE (3228) internalHandleNotification() - ignoring non-hip PP notification.
10/09/2014 11:18:12 APPLOG  VERBOSE RULE <unknown> BLOCKED PID 0 ETHERNET TYPE 0x800 PROTO 17 255.255.255.255 67 <-- 10.xx.0.xx. Block All Traffic
10/09/2014 11:18:12 MAINWRK VERBOSE << (2416) processQueue
Any advise will be welcome.
this rule allows outgoing BOOTP traffic and the logs shows that incoming BOOTP traffic is filtered. I currently don't have a HIPS installation at hand, so I cannot give you exact guidance, but you should be good, if you additionally allow incoming BOOTP traffic (switch direction and local/remote service port).
Just to throw it out there, if this is an internal application, do you have a CAG (connection aware group) setup? Basically you can setup a location rule within your table that will allow any/any but ONLY if the specified machine matches a defined criteria of either DNS/DCHP/Gateway/etc. server. That makes it a lot easier for internal servers as you don't need to create specific rules like you are. Just a thought.