cancel
Showing results for 
Search instead for 
Did you mean: 
alhaawi
Level 9

Is there a way to avoid getting broadcast

Jump to solution

hello

I am looking for a way to avoid getting broadcast traffic such as the one attached. the attched firewall log is showing too many traffic almost every 10 seconds!

should we do something on the switch to avoid that?

0 Kudos
1 Solution

Accepted Solutions
brentil
Level 12

Re: Is there a way to avoid getting broadcast

Jump to solution

I've started a case with McAfee regarding this and we were able to create a policy to allow the traffic so it does not show in the blocked logs.  As mentioned though it will still show in the Allowed logs if you have that enabled.

  1. Create a new rule
  2. Description Page
    1. Action = Allow
    2. Log matching traffic = unchecked
    3. Direction = Either
  3. Network Options Page - Select Any Protocol
  4. Transport Page
    1. Protocol = UDP
    2. Local Service = 67,68
    3. Remote Service = 67,68

We went through a variety of rules trying to be more granular but none of them worked and in the end this was the only one that worked.

0 Kudos
6 Replies
alhaawi
Level 9

Re: Is there a way to avoid getting broadcast

Jump to solution

I mean should we do something on the switch or the router to avoid that?

0 Kudos
greatscott
Level 12

Re: Is there a way to avoid getting broadcast

Jump to solution

You should modify the McAfee HIPS Firewall Rules policy to permit bootp.

0 Kudos
McAfee Employee

Re: Is there a way to avoid getting broadcast

Jump to solution

This is incoming DHCP traffic.  The only system that needs to allow this traffic incoming is the DHCP server (if HIPS is installed on it).  Blocking it on all other clients shouldn't cause any issues (since they don't need to respond to DHCP requests).  Even if you did allow it, the traffic would be in the LOG ALL ALLOWED section of the logs (if enabled).

There isn't a way to get rid of it in HIPS (you can't configure HIPS to NOT log the traffic, especially if you use the LOG ALL ALLOWED/BLOCKED logging options.

0 Kudos
alhaawi
Level 9

Re: Is there a way to avoid getting broadcast

Jump to solution

Thanks Kary for your helpful answer, it is reay annoying Especially while troubleshooting something. i may allow the traffic as greatscott suggested i hope there is no risk by allowing the udp bootpc.

0 Kudos
brentil
Level 12

Re: Is there a way to avoid getting broadcast

Jump to solution

I as well am tired of seeing this in my HIPS agents.  Did you make a support case to see what could be done about it?

0 Kudos
brentil
Level 12

Re: Is there a way to avoid getting broadcast

Jump to solution

I've started a case with McAfee regarding this and we were able to create a policy to allow the traffic so it does not show in the blocked logs.  As mentioned though it will still show in the Allowed logs if you have that enabled.

  1. Create a new rule
  2. Description Page
    1. Action = Allow
    2. Log matching traffic = unchecked
    3. Direction = Either
  3. Network Options Page - Select Any Protocol
  4. Transport Page
    1. Protocol = UDP
    2. Local Service = 67,68
    3. Remote Service = 67,68

We went through a variety of rules trying to be more granular but none of them worked and in the end this was the only one that worked.

0 Kudos