I mean should we do something on the switch or the router to avoid that?
You should modify the McAfee HIPS Firewall Rules policy to permit bootp.
1 of 1 people found this helpful
This is incoming DHCP traffic. The only system that needs to allow this traffic incoming is the DHCP server (if HIPS is installed on it). Blocking it on all other clients shouldn't cause any issues (since they don't need to respond to DHCP requests). Even if you did allow it, the traffic would be in the LOG ALL ALLOWED section of the logs (if enabled).
There isn't a way to get rid of it in HIPS (you can't configure HIPS to NOT log the traffic, especially if you use the LOG ALL ALLOWED/BLOCKED logging options.
Thanks Kary for your helpful answer, it is reay annoying Especially while troubleshooting something. i may allow the traffic as greatscott suggested i hope there is no risk by allowing the udp bootpc.
I as well am tired of seeing this in my HIPS agents. Did you make a support case to see what could be done about it?
I've started a case with McAfee regarding this and we were able to create a policy to allow the traffic so it does not show in the blocked logs. As mentioned though it will still show in the Allowed logs if you have that enabled.
- Create a new rule
- Description Page
- Action = Allow
- Log matching traffic = unchecked
- Direction = Either
- Network Options Page - Select Any Protocol
- Transport Page
- Protocol = UDP
- Local Service = 67,68
- Remote Service = 67,68
We went through a variety of rules trying to be more granular but none of them worked and in the end this was the only one that worked.