Anyone seen an issue with the HIPS Firewall, and processing of LLMNR traffic? The traffic is tripping over our CAG, which has IP based criteria. A system hits the LLMNR and for some reason starts using a 224.x.x.x local address, which is not defined in our CAG. The top bit of traffic is a block shown when the traffic hits our top CAG, where connection isolation is checked. The second piece of traffic below is an allow, when we uncheck connection isolation in our top CAG. The traffic is processed by our lower CAG, which has DNS based criteria:
Mode = traffic
Process id = 1632
Event type = FW_LOG_EVENT_TYPE_TRAFFIC
Direction = FW_DIRECTION_INBOUND
Action = FW_ACTION_BLOCK_PACKET
Source port = 53865
Dest port = 5355
Ip protocol = 17
Ethernet type = 0x800
Process path = C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Local ip addr = 224.0.0.252
Remote ip addr = XXX.XXX.240.166
Source MAC = 00-00-00-00-00-00-00-00
Dest MAC = 00-XX-e8-XX-36-XX-00-XX
Mode = traffic
Process id = 1632
Event type = FW_LOG_EVENT_TYPE_TRAFFIC
Direction = FW_DIRECTION_INBOUND
Action = FW_ACTION_ALLOW
Source port = 60692
Dest port = 5355
Ip protocol = 17
Ethernet type = 0x800
Process path = C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Local ip addr = 224.0.0.252
Remote ip addr = XXX.XXX.240.150
Source MAC = 00-00-00-00-00-00-00-00
Dest MAC = 00-XX-e8-XX-36-XX-00-XX
I am seeing this also. Have you come up with a resolution yet?
I also have a HIPS Firewall Connection Aware Group (CAG) setup to activate by our internal DNS servers. I have the following LLMNR rules setup and we've not experienced any issues, so far. These rules took a lot of tuning after running things in Adaptive Mode for a few months.
Good luck...
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA