Moved to HIPs for better attention.
Our HIPS 7 is blocking all incoming connections after switching from network / network card.
Does this still happen if the HIPS Firewall is disabled? It might be a firewall rule issue.
On a regular base, not always, the firewall allows all traffic out (like a rules tells it to) but blocks the answers coming from the remote systems.
It seems it is not acting state full.
We've seen this issue before and typically it's caused by a return packet for a connection that is already closed. Are you seeing any issues due to this blocked incoming traffic?
The issues you see might be configuration issues, but if possible, I would suggest upgrading to HIPS 8.0 Patch 2 Hotfix 803520 and retesting.
Sorry for the repsonse delay.
No, the issues vanish when HIPS is disabled and yes, it seems all incoming traffic is blocked.
Other strange part in here is that is seems in the logging that f.e. the ping reply comes before the request. To avoid a 'wrong' rule my client is back to 6 rules.
1 block for possible virus/worm on specific ports
1 allow all protocols outbound
4 rules explicitly allowing inbound on vnc, rdp, echo request, ms-ds (all tcp) and inbond dns (udp)
1 rule allow all inbound from out datacenter networks
Attached the image of the fw log. First cleared log then started an outbound ping to my router. First you see the incoming ICMP then the outbond.
Seems to me this is in the wrong order.
There have been issues we've seen with log events occurring in the HIPS Activity log (out of sequence logging, reset packets causing BLOCKs before ALLOWs, etc.)
If you're still having an issue, I would suggest opening a Service Request with McAfee Support to have it looked at further. Have you tested HIPS 8.0 in this environment to see if it still has the issue? There have been firewall architecture changes that might affect the issues you are seeing.
Not yet tested 8.0.
I will if we have it present for (test) deployment. Might take some days for the next response on this thouhg. Issues are not consistent nor can we simulation them. They just occur.
Since HIPS firewall works as a adaptive routing technique, i would recommend you to look the HIPS rules once again that you have created, if TCP/IP blocked is the first rule in your firewall rule, it will block all the traffice even if you have a created a rule after it.
If problem still persist let me know if it's happening on all the systems on which you have applied the same policy.
Thanks for your answer.
The issue seems to appear (show itself) only on the HP 8470p and HP8570w (70-series).
It happes with a rule list of > 80 rules and with a cleaned-up list of 6 rules. (major clean-up but it might be more in the end).
If I look at our lenovo or even the HP 60-series the issue does not show.
Only thing different seems the model name and with that a faster processor.
So regardless of the policy is happens although a lot less when having the 6 rules activated instead of the 80+ list.
If HIPS service is disabled it works ok.