cancel
Showing results for 
Search instead for 
Did you mean: 
bob325
Level 7
Report Inappropriate Content
Message 1 of 6

Need help to allow webserver applition / blocks by hips

Hi  Team ,

I am  quit  new  with  hips  and  have  hips  8.0 p2 blocking  webserver  application  since  has  been  install.  I need  help  how  to  allow  webserver  from  port  .  My  firewall  policy  allow  these  ports  but  still  blocking .

event logs  shows  below  error

7 1398318382 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318382 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318383 10.98.8.49   2048 6 10.98.x.xx xx 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318388 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318388 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318389 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318390 FE80:0000:0000:0000:41A0:2A59:3F44:9E99  1a8d1d59-10d7-4ffd-b9ee-0a3445a5f739 34525 58 FF02:0000:0000:0000:0000:0000:0000:0001 136 FE80:0000:0000:0000:41A0:2A59:3F44:9E9

Firesvc.logs

4/24/2014 07:47:42 HipPolicyMgr.cpp[790] VERBOSE  (4692) << hpm_FreeConfig() - result = 1.

04/24/2014 07:47:42 FireCore.cpp[3587] VERBOSE  (4692) handleNotificationEventLog() - About to log msg. isNipsEvent = false, isNipsTrustedNetwork = false, isIpSpoofEvent = false, isTrustedSourceEvent = false, action = FW_ACTION_BLOCK_PACKET, is allow action = false, is block action = true, want allowed events = false, want blocked events = true, rule treated as intrusion = false, rule is null = true, rule client id = null rule, rule name = null rule, rule has log matching traffic set = false, logging due to def policy action = true.

04/24/2014 07:47:42 FireCore.cpp[5962] VERBOSE  (4692) handleNotificationEventLog() - traffic event received:

Mode = traffic

Process id = 0

Event type = FW_LOG_EVENT_TYPE_TRAFFIC

Direction = FW_DIRECTION_INBOUND

Action = FW_ACTION_BLOCK_PACKET

Source port = 68

Dest port = 67

Ip protocol = 17

Ethernet type = 0x800

Process path =

Local ip addr = 255.255.255.255

Remote ip addr = 10.98.xx.xx

Source MAC = fc-15-b4-e7-ce-96-00-00

Dest MAC = ff-ff-ff-ff-ff-ff-00-00

04/24/2014 07:47:42 FireCore.cpp[2593] VERBOSE  (4692) internalHandleNotification() - ignoring non-hip PP notification.

04/24/2014 07:47:42 FireCore.cpp[2543] VERBOSE  (4692) << handleNotification() - result = 1.

04/24/2014 07:47:42 MAINWRK[584] INFO     Queue signaled

04/24/2014 07:47:42 MAINWRK[620] VERBOSE  >> processQueue

04/24/2014 07:47:42 MAINWRK[639] INFO     Got PGPnetMessageRuleLog

04/24/2014 07:47:42 APPLOG  [1485] VERBOSE  RULE <unknown> BLOCKED PID 0 ETHERNET TYPE 0x800 PROTO 17 255.255.255.255 67 <-- 10.98.6.xx. xx. Block All Traffic

04/24/2014 07:47:42 HipPolicyMgr.cpp[220] VERBOSE  (4220) >> hpm_GetBlockedHosts().

04/24/2014 07:47:42 HipPolicyMgr.cpp[225] VERBOSE  (4220) << hpm_GetBlockedHosts() - result = 1.

04/24/2014 07:47:42 HipPolicyMgr.cpp[785] VERBOSE  (4220) >> hpm_FreeConfig().

04/24/2014 07:47:42 HipPolicyMgr.cpp[790] VERBOSE  (4220) << hpm_FreeConfig() - result

  my  firewall  policy  for  help,

firewall policy.png

Thanks 

BOB

5 Replies
Reliable Contributor greatscott
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Need help to allow webserver applition / blocks by hips

Probably need to expand both the Basic Networking group, and Web/FTP group to see whats inside. The firewall blocks you show at the top are related to port 80, but the block you list out toward the bottom looks like bootp, which should theoretically be included in your basic networking rule.

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Need help to allow webserver applition / blocks by hips

My  firewall  policy  allow  these  ports  but  still  blocking .

Please point out which specific firewall rule in your policy is supposed to allow this traffic?  This way you can compare the blocked traffic to the "Allow" rule.

7 1398318382 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318382 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318383 10.98.8.49   2048 6 10.98.x.xx xx 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318388 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318388 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

7 1398318389 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

If there isn't one, you'll need to create a new Firewall rule.

Highlighted
bob325
Level 7
Report Inappropriate Content
Message 4 of 6

Re: Need help to allow webserver applition / blocks by hips

Hi  Great Scott,

Thanks  for  your  feedback,  below  is  my  firewall  policy  expended  as  requested.  Please  advise  from  where  firewall  bolciking  this  traffic  and  how  can  i  create  the  policy.

Thanks fire.pol2.png

BOB

bob325
Level 7
Report Inappropriate Content
Message 5 of 6

Re: Need help to allow webserver applition / blocks by hips

Thanks  Kary  for  the  feedback,

I am  trying  to  understand  from  which  policy  this  traffic is  blocked ,  I have  posted  again  my  firewall  policy  expanded  as  requested by GreatScott  for  more  advice .  I have  activate  adative  mode  to  see  which  rule  is  created  ,  but  im  unable  to  find  the  rules  created  dimically  by  adative  mode  and  add  it  into  my  policy .  Could  you  please  advice  which port  to allow  on  which policy  ?

Please  Adaptive  mode  events 

Adptive  mode.png

Thanks 

BOB

dcobes
Level 9
Report Inappropriate Content
Message 6 of 6

Re: Need help to allow webserver applition / blocks by hips

If I'm understanding your need, the firewall rule you need would look like

Name: Allow TCP/80 ZendCE

Action: Allow

Direction: In

Local Address: <ip or fqdn of webserver>

Remote Address: <ip or fqdn of systems to connect to webserver> *only if you need to lock this down

Protocol: TCP -> Local Port 80 (http)

Application: C:\Webserver\ZendCE\Apache2\bin\httpd.exe

-d