5 Replies Latest reply: May 7, 2014 11:48 AM by dcobes RSS

    Need  help  to allow  webserver  applition / blocks  by  hips

    bob325

      Hi  Team ,

       

      I am  quit  new  with  hips  and  have  hips  8.0 p2 blocking  webserver  application  since  has  been  install.  I need  help  how  to  allow  webserver  from  port  .  My  firewall  policy  allow  these  ports  but  still  blocking .

       

      event logs  shows  below  error

       

      7 1398318382 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

      7 1398318382 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

      7 1398318383 10.98.8.49   2048 6 10.98.x.xx xx 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

      7 1398318388 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

      7 1398318388 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

      7 1398318389 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

      7 1398318390 FE80:0000:0000:0000:41A0:2A59:3F44:9E99  1a8d1d59-10d7-4ffd-b9ee-0a3445a5f739 34525 58 FF02:0000:0000:0000:0000:0000:0000:0001 136 FE80:0000:0000:0000:41A0:2A59:3F44:9E9

       

       

      Firesvc.logs

       

      4/24/2014 07:47:42 HipPolicyMgr.cpp[790] VERBOSE  (4692) << hpm_FreeConfig() - result = 1.

      04/24/2014 07:47:42 FireCore.cpp[3587] VERBOSE  (4692) handleNotificationEventLog() - About to log msg. isNipsEvent = false, isNipsTrustedNetwork = false, isIpSpoofEvent = false, isTrustedSourceEvent = false, action = FW_ACTION_BLOCK_PACKET, is allow action = false, is block action = true, want allowed events = false, want blocked events = true, rule treated as intrusion = false, rule is null = true, rule client id = null rule, rule name = null rule, rule has log matching traffic set = false, logging due to def policy action = true.

      04/24/2014 07:47:42 FireCore.cpp[5962] VERBOSE  (4692) handleNotificationEventLog() - traffic event received:

      Mode = traffic

      Process id = 0

      Event type = FW_LOG_EVENT_TYPE_TRAFFIC

      Direction = FW_DIRECTION_INBOUND

      Action = FW_ACTION_BLOCK_PACKET

      Source port = 68

      Dest port = 67

      Ip protocol = 17

      Ethernet type = 0x800

      Process path =

      Local ip addr = 255.255.255.255

      Remote ip addr = 10.98.xx.xx

      Source MAC = fc-15-b4-e7-ce-96-00-00

      Dest MAC = ff-ff-ff-ff-ff-ff-00-00

      04/24/2014 07:47:42 FireCore.cpp[2593] VERBOSE  (4692) internalHandleNotification() - ignoring non-hip PP notification.

      04/24/2014 07:47:42 FireCore.cpp[2543] VERBOSE  (4692) << handleNotification() - result = 1.

      04/24/2014 07:47:42 MAINWRK[584] INFO     Queue signaled

      04/24/2014 07:47:42 MAINWRK[620] VERBOSE  >> processQueue

      04/24/2014 07:47:42 MAINWRK[639] INFO     Got PGPnetMessageRuleLog

      04/24/2014 07:47:42 APPLOG  [1485] VERBOSE  RULE <unknown> BLOCKED PID 0 ETHERNET TYPE 0x800 PROTO 17 255.255.255.255 67 <-- 10.98.6.xx. xx. Block All Traffic

      04/24/2014 07:47:42 HipPolicyMgr.cpp[220] VERBOSE  (4220) >> hpm_GetBlockedHosts().

      04/24/2014 07:47:42 HipPolicyMgr.cpp[225] VERBOSE  (4220) << hpm_GetBlockedHosts() - result = 1.

      04/24/2014 07:47:42 HipPolicyMgr.cpp[785] VERBOSE  (4220) >> hpm_FreeConfig().

      04/24/2014 07:47:42 HipPolicyMgr.cpp[790] VERBOSE  (4220) << hpm_FreeConfig() - result

       

       

        my  firewall  policy  for  help,

       

      firewall policy.png

      Thanks 

       

      BOB

        • 1. Re: Need  help  to allow  webserver  applition / blocks  by  hips
          greatscott

          Probably need to expand both the Basic Networking group, and Web/FTP group to see whats inside. The firewall blocks you show at the top are related to port 80, but the block you list out toward the bottom looks like bootp, which should theoretically be included in your basic networking rule.

          • 2. Re: Need  help  to allow  webserver  applition / blocks  by  hips
            Kary Tankink

            My  firewall  policy  allow  these  ports  but  still  blocking .

             

            Please point out which specific firewall rule in your policy is supposed to allow this traffic?  This way you can compare the blocked traffic to the "Allow" rule.

             

             

            7 1398318382 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

            7 1398318382 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

            7 1398318383 10.98.8.49   2048 6 10.98.x.xx xx 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

            7 1398318388 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33521 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

            7 1398318388 10.98.8.49   2048 6 10.98.xx.xx  80 10.98.8.49 33522 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

            7 1398318389 10.98.8.49   2048 6 10.98.xx.xx 80 10.98.8.49 33523 1 0 1620 C:\Webserver\ZendCE\Apache2\bin\httpd.exe Block All Traffic

             

             

            If there isn't one, you'll need to create a new Firewall rule.

            • 3. Re: Need  help  to allow  webserver  applition / blocks  by  hips
              bob325

              Hi  Great Scott,

               

              Thanks  for  your  feedback,  below  is  my  firewall  policy  expended  as  requested.  Please  advise  from  where  firewall  bolciking  this  traffic  and  how  can  i  create  the  policy.

               

              Thanks fire.pol2.png

               

              BOB

              • 4. Re: Need  help  to allow  webserver  applition / blocks  by  hips
                bob325

                Thanks  Kary  for  the  feedback,

                 

                I am  trying  to  understand  from  which  policy  this  traffic is  blocked ,  I have  posted  again  my  firewall  policy  expanded  as  requested by GreatScott  for  more  advice .  I have  activate  adative  mode  to  see  which  rule  is  created  ,  but  im  unable  to  find  the  rules  created  dimically  by  adative  mode  and  add  it  into  my  policy .  Could  you  please  advice  which port  to allow  on  which policy  ?

                 

                Please  Adaptive  mode  events 

                 

                Adptive  mode.png

                Thanks 

                BOB

                • 5. Re: Need  help  to allow  webserver  applition / blocks  by  hips
                  dcobes

                  If I'm understanding your need, the firewall rule you need would look like

                   

                  Name: Allow TCP/80 ZendCE

                  Action: Allow

                  Direction: In

                  Local Address: <ip or fqdn of webserver>

                  Remote Address: <ip or fqdn of systems to connect to webserver> *only if you need to lock this down

                  Protocol: TCP -> Local Port 80 (http)

                  Application: C:\Webserver\ZendCE\Apache2\bin\httpd.exe

                   

                   

                  -d