3 Replies Latest reply on Jul 7, 2015 5:20 PM by Kary Tankink

    HIPS 8 FW blocking VMDIRD.EXE

    ninjaneer68

      With in the VMware 5.5 vSphere server, HIPS FW is blocking the VMDIRD.exe from starting during a reboot, or it takes about 40-60 minutes for it to start. I can see in the HIPS FW Logs that it is being blocked. I am having troubles trying to figure out the FW rule to allow the service to start with out any issues

       

      Has anyone else seen his or can assist in what they did to get the rule to stop inferring with the start up of this service ??

       

      Below is what I am seeing in the logs

       

      Time: 6/23/2015 3:10:09 AM
      Event: Traffic
      IP Address/User: 127.0.0.1
      Description: VMware Directory Service (vmdird)
      Path: D:\Program Files\VMware\Infrastructure\VMware\cis\vmdird\vmdird.exe
      Message: Blocked Incoming TCP -  Source 127.0.0.1 :  (60054)  Destination 127.0.0.171 :  (50001)
      Matched Rule:vCenter CAG/LAG Rules
        • 1. Re: HIPS 8 FW blocking VMDIRD.EXE
          ninjaneer68

          After looking at the FW rules set for the vCenter I had the below entries set to allow for loop back

           

          local networks

          ::1

          127.0.0.1

          127.0.0.1/8

           

          I didn't have anything set for local loop back on the remote network side with in the FW rule. I went and edited the rule and for remote network with in the allow loop back rule, I added the above but with in the remote network.

           

          Restart the vSphere server and the VMDIRD server stop hanging.

           

          When the rule talk about the remote networks,I take it for the rule destination is the IP the application is attempting to reach, which it doesn't matter if its local to the box or not ?

          • 2. Re: HIPS 8 FW blocking VMDIRD.EXE
            c14us

            Hi

             

            The loopback rules was removed from HIPS in one of the older SP (sp2 I think). If you need them (most will), you need to create yourself (as you just did)

             

            Regards

            Claus

            • 3. Re: HIPS 8 FW blocking VMDIRD.EXE
              Kary Tankink

              For your reference, see below.  It is suggested to have the ALLOW LOOPBACK rule at the top of the firewall rule policy.  You will also need to modify it for non-standard 127.x.x.x IP addresses, if needed, as your blocked network traffic example shows above.

               

              KB71230 - Host Intrusion Prevention 8.0 Loopback traffic blocked when firewall is enabled