cancel
Showing results for 
Search instead for 
Did you mean: 
clath13
Level 9

Seeing traffic from webgateways in ProxyHA to 255.255.255.255

Jump to solution

Good morning,

So my IDS is unhappy.  It keeps seeing traffic from the 2 web gateways I have in ProxyHA mode to 255.255.255.255 using the protocol 253 which, according to IANA, is a protocol used for testing.  So the Source is one of my Web Gateways and the Destination is 255.255.255.255 using Protocol 253.  I'm talking LOTS of traffic - 150k+ alerts since last week.  I've perused the Best Practices guide for ProxyHA but can't find any reference to this traffic just the multicast packet to 224.0.0.18.  It appears the traffic to 255.255.255.255 occurs around the same time as the traffic to 224.0.0.18.  I found a post - - that discusses it but doesn't really say how to stop it.  I have a bond0 interface with a static IP configured, the 1st interface that makes up the bond has its IP configured as static (same IP as the bond) and the other as obtain automatically (DHCP).   Should both interfaces be set to DHCP with just the bond interface configured statically?  Or does this have nothing to do with the traffic I'm seeing?

Thanks,

Claire

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Seeing traffic from webgateways in ProxyHA to 255.255.255.255

Jump to solution

Hi Claire,

A number of topics to cover here...

This makes sense. Protocol 253 is used by our McAfee Network Driver (aka MFEND). This is used to determine what nodes are available for load distribution. So if another MWG in the network comes online, we will add it to the ProxyHA cluster.

We also use VRRP for determining ownership of the VIP (for failover).

As for the interface related questions, in general I would advise disabling any interfaces that are not in use. It wouldnt be good if somehow the interface picked up an IP.

Best Regards,

Jon

0 Kudos
2 Replies
McAfee Employee

Re: Seeing traffic from webgateways in ProxyHA to 255.255.255.255

Jump to solution

Hi Claire,

A number of topics to cover here...

This makes sense. Protocol 253 is used by our McAfee Network Driver (aka MFEND). This is used to determine what nodes are available for load distribution. So if another MWG in the network comes online, we will add it to the ProxyHA cluster.

We also use VRRP for determining ownership of the VIP (for failover).

As for the interface related questions, in general I would advise disabling any interfaces that are not in use. It wouldnt be good if somehow the interface picked up an IP.

Best Regards,

Jon

0 Kudos
clath13
Level 9

Re: Seeing traffic from webgateways in ProxyHA to 255.255.255.255

Jump to solution

Hi Jon,

So I think what I hear you saying is only the Bond Interface should be checked and the 2 interfaces that make up the bond should be unchecked, correct?  Like this:

Thanks,

Claire

0 Kudos