cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
bob325
Level 7
Report Inappropriate Content
Message 1 of 3

How to permit UDP port traffic in HIPS 8

Hi  Team,

One  of  my  internal  application  is  blocked  by  HIPS  , but  logs  shows  only blocked  incoming  UDP  on  Bootps  port  67  and  68 .  default  rules  has  already  allows  these  port  but  still  seeing  below  error  from  the  logs; Could  you  please  advise  how  to  process  with  this  error . Adaptive  Mode  was  enabled  but  still  have  the  issue.     Allow  bootp  rule is  attached .

0/09/2014 11:18:12 FireCore.cpp[6131] VERBOSE  (3228) handleNotificationEventLog() - traffic event received:

Mode = traffic

Process id = 0

Event type = FW_LOG_EVENT_TYPE_TRAFFIC

Direction = FW_DIRECTION_INBOUND

Action = FW_ACTION_BLOCK_PACKET

Source port = 68

Dest port = 67

Ip protocol = 17

Ethernet type = 0x800

Process path =

Local ip addr = 255.255.255.255

Remote ip addr = 10.xx.xx.xx

Source MAC = 00-9c-02-1a-67-9e-00-00

Dest MAC = ff-ff-ff-ff-ff-ff-00-00

10/09/2014 11:18:12 FireCore.cpp[2627] VERBOSE  (3228) internalHandleNotification() - ignoring non-hip PP notification.

10/09/2014 11:18:12 APPLOG  [1876] VERBOSE  RULE <unknown> BLOCKED PID 0 ETHERNET TYPE 0x800 PROTO 17 255.255.255.255 67 <-- 10.xx.0.xx.  Block All Traffic

10/09/2014 11:18:12 MAINWRK[813] VERBOSE  << (2416) processQueue

bootp rule.png

Any  advise  will be  welcome.

Thanks

Bob

2 Replies
Reliable Contributor frank_enser
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: How to permit UDP port traffic in HIPS 8

Hi,

this rule allows outgoing BOOTP traffic and the logs shows that incoming BOOTP traffic is filtered. I currently don't have a HIPS installation at hand, so I cannot give you exact guidance, but you should be good, if you additionally allow incoming BOOTP traffic (switch direction and local/remote service port).

Regards,

Frank

Re: How to permit UDP port traffic in HIPS 8

Just to throw it out there, if this is an internal application, do you have a CAG (connection aware group) setup? Basically you can setup a location rule within your table that will allow any/any but ONLY if the specified machine matches a defined criteria of either DNS/DCHP/Gateway/etc. server. That makes it a lot easier for internal servers as you don't need to create specific rules like you are. Just a thought.

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.