Loading...

Knowledge Center


Host Intrusion Prevention 8.0 Loopback traffic blocked when firewall is enabled
Technical Articles ID:   KB71230
Last Modified:  11/4/2016
Rated:


Environment

McAfee Host Intrusion Prevention 8.0
 

Problem

The Host Intrusion Prevention (Host IPS) 8.0 Firewall blocks all traffic to the loopback adapter by default. This is a change from Host IPS 7.0, which allowed all traffic to the loopback adapter.

You see an error similar to the following in the Host IPS 8.0 FireSvc.log:

FireCore.cpp[5931] VERBOSE  (2652)
handleNotificationEventLog() - traffic event received:
Mode = traffic
Process id = 156
Event type = FW_LOG_EVENT_TYPE_TRAFFIC
Direction = FW_DIRECTION_OUTBOUND
Action = FW_ACTION_BLOCK_PACKET
Source port = 1883
Dest port = 1883
Ip protocol = 17
Ethernet type = 0x800
Process path = C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
Local ip addr = 127.0.0.1
Remote ip addr = 127.0.0.1

Source MAC = 00-00-00-00-00-00-00-00
Dest MAC = 00-00-00-00-00-00-00-00

Solution

This is as designed in Host IPS 8.0.
 
There is a local loopback firewall rule included in the McAfee Firewall Policy Catalog on Host IPS Extension 8.0.0.528 (Patch 1 release) and later.

NOTE: You will need to add your own local loopback rule (if required by VPN adapters or other software requiring the use of the local loopback adapter for internal system communications) if:
  • Host IPS 8.0 Firewall rules policy was migrated from Host IPS 7.0.
  • Host IPS 8.0 Firewall rules policy is newly created using a McAfee Default Policy Firewall Rules policy.
  • Host IPS 8.0 Firewall rules policy is imported and does not currently have an appropriate firewall rule for the local loopback adapter.

Solution

Add an Allow Loopback rule from the Policy Catalog:

Create a Host IPS 8.0 Firewall rule to allow the Loopback traffic.

IMPORTANT: Place the Allow Loopback rule above any Location Aware Groups (LAGs).
  1. Log on to the ePO Server console.
  2. Click Policy Catalog.
  3. Select Host Intrusion Prevention 8.0:Firewall for the Product.
  4. Select Firewall Rules (Windows) for the Category.
  5. Click Edit Settings under the Actions column for your specific policy.
  6. Click Add Rule From Catalog.
  7. Select Allow Loopback and click OK.
  8. Click Save.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.