I have HIPS 8 (firewall only) deployed in a small disconnected network and the HIPS client is not functioning as expected. I have a rule set up to allow all outbound traffic from clients (any protocol type, any media) - however, some client logs are showing that outbound traffic is erroneously blocked. The client log is showing the traffic as INBOUND for some reason.
For example, on a workstation with IP 192.168.1.100, it shows inbound traffic being blocked, even though the SOURCE IP address is 192.168.1.100 (its own address).
I have used the same build of HIPS 8 on several other small disconnected networks without this problem. I have already tried uninstalling and reinstalling the product with no success.
Has anyone ever seen this issue or have ideas to remedy?
Is your Loopback rule turned on? I know there was an issue previously where the firewall would malfunction if this wasn't turned on.
It is worth a shot.
Message was edited by: greatscott on 1/15/13 8:15:06 AM CST
I did see that KB article...I will try that rule - although the address that is showing up in the log is not the loopback address (127.0.0.1), but the actual IP address of the machines adapters.
Edit: loopback rule allows 127.0.0.1 and ::1, so it did not work to enable this rule.
Message was edited by: bluesolider007 on 1/15/13 9:05:02 AM CST
Update: this issue is somehow being caused by the Rogue System Detector - after I removed the RSD sensor (edit: or simply stopped the RSD service) the problem disappears. Has anyone ever seen this behavior with RSD and HIPS?
Message was edited by: bluesolider007 on 1/15/13 1:21:29 PM CST
I have not heard of this issue. Do you mind installing the RSD sensor on another system, and seeing if the blocks still occur?
Same issue exists on another system - same version/build of HIPS and RSD. This issue has been escalted to Tier II support at McAfee but I have not heard anything back all week.
i have also opened a service with McAfee about this issue. can anyone give me the exact KB article number? i can' t seem to find it
There is no KB that fixed the issue for me. McAfee Tier III support ended up giving me a Proof of Concept (POC) patch that resolved the issue after I provided them with detailed MER and Wireshark logs. The POC they gave me is not deployable via ePO so I am waiting for them to provide a deployable copy. I am not sure what the McAfee schedule for releasing this patch to world would be.
Edit: sorry, were you asking about the loopback rule? It is a built-in rule that will allow traffic on teh IPv4 (127.0.0.1) or IPv6(::1) loopback interface. If you are seeing inbound traffic from 127.0.0.1 or 0000:0000:0000.....0000:0001 being blocked then enable the rule in the FW Rules policy being appled to your machine to see if it fixes it. If you are seeing outbound traffic from the local IP being blocked as outbound, there is no KB for that.
Message was edited by: bluesolider007 on 1/31/13 1:52:49 PM CST