2 Replies Latest reply on Oct 10, 2014 8:07 AM by fitchsoccer342

    How to permit UDP  port traffic in HIPS 8


      Hi  Team,


      One  of  my  internal  application  is  blocked  by  HIPS  , but  logs  shows  only blocked  incoming  UDP  on  Bootps  port  67  and  68 .  default  rules  has  already  allows  these  port  but  still  seeing  below  error  from  the  logs; Could  you  please  advise  how  to  process  with  this  error . Adaptive  Mode  was  enabled  but  still  have  the  issue.     Allow  bootp  rule is  attached .


      0/09/2014 11:18:12 FireCore.cpp[6131] VERBOSE  (3228) handleNotificationEventLog() - traffic event received:

      Mode = traffic

      Process id = 0

      Event type = FW_LOG_EVENT_TYPE_TRAFFIC

      Direction = FW_DIRECTION_INBOUND


      Source port = 68

      Dest port = 67

      Ip protocol = 17

      Ethernet type = 0x800

      Process path =

      Local ip addr =

      Remote ip addr = 10.xx.xx.xx

      Source MAC = 00-9c-02-1a-67-9e-00-00

      Dest MAC = ff-ff-ff-ff-ff-ff-00-00

      10/09/2014 11:18:12 FireCore.cpp[2627] VERBOSE  (3228) internalHandleNotification() - ignoring non-hip PP notification.

      10/09/2014 11:18:12 APPLOG  [1876] VERBOSE  RULE <unknown> BLOCKED PID 0 ETHERNET TYPE 0x800 PROTO 17 67 <-- 10.xx.0.xx.  Block All Traffic

      10/09/2014 11:18:12 MAINWRK[813] VERBOSE  << (2416) processQueue


      bootp rule.png


      Any  advise  will be  welcome.





        • 1. Re: How to permit UDP  port traffic in HIPS 8



          this rule allows outgoing BOOTP traffic and the logs shows that incoming BOOTP traffic is filtered. I currently don't have a HIPS installation at hand, so I cannot give you exact guidance, but you should be good, if you additionally allow incoming BOOTP traffic (switch direction and local/remote service port).




          • 2. Re: How to permit UDP  port traffic in HIPS 8

            Just to throw it out there, if this is an internal application, do you have a CAG (connection aware group) setup? Basically you can setup a location rule within your table that will allow any/any but ONLY if the specified machine matches a defined criteria of either DNS/DCHP/Gateway/etc. server. That makes it a lot easier for internal servers as you don't need to create specific rules like you are. Just a thought.