cancel
Showing results for 
Search instead for 
Did you mean: 
bob325
Level 7

How to permit UDP port traffic in HIPS 8

Hi  Team,

One  of  my  internal  application  is  blocked  by  HIPS  , but  logs  shows  only blocked  incoming  UDP  on  Bootps  port  67  and  68 .  default  rules  has  already  allows  these  port  but  still  seeing  below  error  from  the  logs; Could  you  please  advise  how  to  process  with  this  error . Adaptive  Mode  was  enabled  but  still  have  the  issue.     Allow  bootp  rule is  attached .

0/09/2014 11:18:12 FireCore.cpp[6131] VERBOSE  (3228) handleNotificationEventLog() - traffic event received:

Mode = traffic

Process id = 0

Event type = FW_LOG_EVENT_TYPE_TRAFFIC

Direction = FW_DIRECTION_INBOUND

Action = FW_ACTION_BLOCK_PACKET

Source port = 68

Dest port = 67

Ip protocol = 17

Ethernet type = 0x800

Process path =

Local ip addr = 255.255.255.255

Remote ip addr = 10.xx.xx.xx

Source MAC = 00-9c-02-1a-67-9e-00-00

Dest MAC = ff-ff-ff-ff-ff-ff-00-00

10/09/2014 11:18:12 FireCore.cpp[2627] VERBOSE  (3228) internalHandleNotification() - ignoring non-hip PP notification.

10/09/2014 11:18:12 APPLOG  [1876] VERBOSE  RULE <unknown> BLOCKED PID 0 ETHERNET TYPE 0x800 PROTO 17 255.255.255.255 67 <-- 10.xx.0.xx.  Block All Traffic

10/09/2014 11:18:12 MAINWRK[813] VERBOSE  << (2416) processQueue

bootp rule.png

Any  advise  will be  welcome.

Thanks

Bob

0 Kudos
2 Replies
frank_enser
Level 12

Re: How to permit UDP port traffic in HIPS 8

Hi,

this rule allows outgoing BOOTP traffic and the logs shows that incoming BOOTP traffic is filtered. I currently don't have a HIPS installation at hand, so I cannot give you exact guidance, but you should be good, if you additionally allow incoming BOOTP traffic (switch direction and local/remote service port).

Regards,

Frank

0 Kudos
fitchsoccer342
Level 13

Re: How to permit UDP port traffic in HIPS 8

Just to throw it out there, if this is an internal application, do you have a CAG (connection aware group) setup? Basically you can setup a location rule within your table that will allow any/any but ONLY if the specified machine matches a defined criteria of either DNS/DCHP/Gateway/etc. server. That makes it a lot easier for internal servers as you don't need to create specific rules like you are. Just a thought.

0 Kudos