Blocked UDP connections
One of my client sites runs SEP 12.1 on Server 2012. The client servers are most 2012 with a few 2008 R2. The client PCs are mostly Windows 8 with a couple of Windows 7 boxes.
Today he was working with a vendor which led him to look through the Network Threat Protection logs on his Windows 8 PC. He showed me that there are a bunch of blocked connections and wanted me to investigate them as he wants to know what's up with them.
I checked out a couple of client servers and they have the same type of entries in their logs. The Severity is either 10 or 15, the Direction is always Incoming, the Protocol is always UDP, the Remote Host is always an address like FE80:0:0:0:198A:37F6:A4ED:F99c and it and the Remote MAC may be the same for several entries but there are different ones in the log. Each Remote Host seems to use the same port for all of its connection attempts and most hosts use the same port but not all hosts do. Oddly enough, the Local Host address varies with some entries being the valid IPv4 address, some being very odd IPv4 addresses and some being IPv6 addresses.
There are always multiple occurences for each entry in the log with the Begin and End Times being about 1 minute apart. The Rule specified is predominantly the "Block all other IP traffic and log" rule, though there are a few instances of "Block Web Services Discovery" and "Block UPnP Discovery",
Does anyone have any idea what is going on here? None of the PCs are accessible from the internet and only the Exchange, RDP, and Edge servers are accessible from the internet. The whole site is well protected.
I'm trying to figure out if these are somehow legitimate blocks of intruders that are somehow slipping in or if SEP is blocking internal traffic that it really doesn't need to, or shouldn't, be blocking.