IE browsing is slower than other browsers when outbound firewall is enabled

Consider following scenario:

After upgrading firewall, Internet Explorer 6/7/8/9/10 may take longer to load web page.

It can be due to firewall's outbound blocking filters are enabled and it blocks IE loopback UDP traffic.

Insight: In previous IE version, the generation of UDP lookup traffic by IE WININET behavior is by design.

Internet Explorer uses the UDP port as a control event to winsock select(), and sends packet to effectively set the event so that the thread breaks out of the select call (typically for timeouts, or when new sockets need to be stuffed into the call).

WinInet uses a UDP loopback socket to be able to interrupt a winsock select.

This is necessary behavior with way WinInet has implemented its sockets layer.

Design changes to WinInet in IE11 do not generate loopback UDP traffic so performance is not impacted when firewalls are configured to blog UDP loopback traffic.


To work around it, need allow loopback UDP traffic in the firewall or upgrade to IE11.

Related content

McAfee FAQ Title: Version Comparison: Webinar Questions: "Migrating to host IPS 8.0 Successfully", May 9. Final.
See below for KB712308 / looback related questions and answers.

Symantec document ID 2005022513010748: Symantec Client Firewall blocks communications to localhost (

From McAfee Version Comparison: Webinar Questions: "Migrating to host IPS 8.0 Successfully", May 9. Final

Q: Got issue with loopback been block

A: Due to some architectural changes in patch 2, you need to create a loopback allow rule that you didn't have to before.  See: KB71230 - Host Intrusion Prevention 8.0 Loopback traffic blocked when firewall is enabled

Q: KB71230, does that mean that a loopback address added, for example, as secondary DNS IP address (the host/server itself that has DNS role) would be blocked by HIPS 8.0 Firewall by default, if not added the Allow Loopback rule in first place to the HIPS 8.0 Firewall?

A: If you have a client component on your host system that talks to a server component on the loopback address, that will potentially be blocked till you create an allow loopback rule for it.

Q: we are already tuned at hips 7 for firewall, ips and app blocking. can we just migrate policies and upgrade without further tuning?

A: Further tuning will be required, since there are architectural changes between the two product versions (like the loopback address issue (KB71230).  Your policies should be migrated and tested in your environment, then adjust the policies as needed

From Symantec document ID 2005022513010748: Symantec Client Firewall blocks communications to localhost (


Local Ethernet adapters have an internal IP address of, which is not routable. When you see both local and remote addresses as Local Host ( in the logs, the program is performing a loopback operation. This is common for many applications.

To create a loopback rule

  1. Start Symantec Client Firewall Administrator.
  2. Open rules policy file.
  3. On the Rules tab, click General Rules > Add.
  4. Configure the following fields with the following values:












Any ports

Remote Ports

Any ports

  1. Click Computers > Computer List > Add >
  2. Click OK.
  3. Move the LoopBack rule to the top of the General Rules list.
  4. Save the policy file.
  5. Exit Symantec Client Firewall Administrator.

If you want to distribute this rule to your clients, use Symantec System Center to distribute the new policy file. For help with this, read the document Using Symantec System Center to distribute a Symantec Client Firewall policy.


Anik from GBSD DSI Team

Comments (0)

Skip to main content