Using " * " or "Any" as "Application" when creating firewall rules in Symantec Endpoint Protection

Article:TECH104295  |  Created: 2008-01-28  |  Updated: 2013-12-02  |  Article URL http://www.symantec.com/docs/TECH104295
Article Type
Technical Solution


Issue



How to use " * " (Asterisk) or "Any" as Application when creating firewall rules in Symantec Endpoint Protection (SEP) 11.0 or 12.1. What is the difference between " * " and Any? Why does the "Allow all applications" rule not work with ICMP/ping or broadcast traffic?

 


Solution



When creating firewall a rule in the Symantec Endpoint Protection Manager (SEPM), there is a difference between leaving the Application field as "Any" and entering an asterisk (*) to match all applications.

  • “Any”
    This setting will include all packets, no matter which application they’re destined for/coming from or if they are not associated with a running application at all. Therefore this setting will match traffic such as incoming broadcast packets and Internet Control Messaging Protocol (ICMP).
  • Asterisk (*)
    This setting will include only packets that are associated with a running application matching the " * " rule for the file name. Incoming broadcast and ICMP traffic for example, would be excluded from a rule with this configuration.



The default "Allow all applications" rule that is included when a new firewall policy is created uses the asterisk/star (*) in the rule and therefore does not match incoming ICMP traffic. To allow a ping of the host running the Symantec Endpoint Protection client, the "Allow ping" rule should also be enabled.

 



Legacy ID



2008022815002148


Article URL http://www.symantec.com/docs/TECH104295


Terms of use for this information are found in Legal Notices