Endpoint Protection

 View Only

  • 1.  0.0.0.0 + mac address chatter from devices blocked

    Posted Nov 30, 2010 01:01 PM

    Hello I've seen this question posted a few times but found the threads closed without a solution:

    I have users with SEP11 RU6 freshly installed complaining that they are getting blocked access popups from symantec the log files look like this:

     

    24524 11/30/2010 10:30:31 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 417  MLILLY MLILLY-MERH Default 1 11/30/2010 10:29:29 AM 11/30/2010 10:29:29 AM Block all other traffic 
    24525 11/30/2010 10:30:41 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 417  MLILLY MLILLY-MERH Default 1 11/30/2010 10:29:40 AM 11/30/2010 10:29:40 AM Block all other traffic 
    24526 11/30/2010 10:30:52 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 417  MLILLY MLILLY-MERH Default 1 11/30/2010 10:29:50 AM 11/30/2010 10:29:50 AM Block all other traffic 
    24527 11/30/2010 10:31:02 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 417  MLILLY MLILLY-MERH Default 1 11/30/2010 10:30:00 AM 11/30/2010 10:30:00 AM Block all other traffic 
    24528 11/30/2010 10:31:12 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 417  MLILLY MLILLY-MERH Default 1 11/30/2010 10:30:10 AM 11/30/2010 10:30:10 AM Block all other traffic 
    24529 11/30/2010 10:31:22 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 417  MLILLY MLILLY-MERH Default 1 11/30/2010 10:30:21 AM 11/30/2010 10:30:21 AM Block all other traffic 
    24530 11/30/2010 10:31:33 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 417  MLILLY MLILLY-MERH Default 1 11/30/2010 10:30:31 AM 11/30/2010 10:30:31 AM Block all other traffic 
    24531 11/30/2010 10:31:33 AM Blocked 15 Incoming ETHERNET [type=0x0] 0.0.0.0 00-11-5C-4D-ED-80 0 0.0.0.0 00-23-14-35-B4-B0 0  MLILLY MLILLY-MERH Default 1 11/30/2010 10:30:31 AM 11/30/2010 10:30:31 AM Block all other traffic 
    24532 11/30/2010 10:31:43 AM Blocked 15 Incoming ETHERNET [type=0x1A1] 0.0.0.0 00-80-2D-D5-16-B4 0 0.0.0.0 01-00-81-00-01-01 etc...

     

    No turning off notification, we want to know if a legit app is being blocked or not. No turning off this rule or logging on this rule for the same reason.

     

    Why is RU6 reporting this where RU5 did not? is there a setting to allow network chatter to run without filling up log files or causing popups?



  • 2.  RE: 0.0.0.0 + mac address chatter from devices blocked

    Posted Nov 30, 2010 08:19 PM

    This is an "ARP Probe" or request packet.

    24531 11/30/2010 10:31:33 AM Blocked 15 Incoming ETHERNET [type=0x0] 0.0.0.0 00-11-5C-4D-ED-80 0 0.0.0.0 00-23-14-35-B4-B0 0  MLILLY MLILLY-MERH Default 1 11/30/2010 10:30:31 AM 11/30/2010 10:30:31 AM Block all other traffic

    "Blocked 15" I believe means it is the 15th rule in the SEP firewall that is being triggered.

    The rule is probably "Block all other traffic"

    I'm wondering if you have a device or multiple devices on your network that may be improperly configured such as IPv6 protocol, IPX protocol, or AppleTalk...

    Not sure if that helps, I have the same issue but haven't been able to find much. Perhaps a call to Symantec is best in this case.