Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Blocked UDP connections

Created: 23 Sep 2013 | 6 comments

One of my client sites runs SEP 12.1 on Server 2012. The client servers are most 2012 with a few 2008 R2. The client PCs are mostly Windows 8 with a couple of Windows 7 boxes.

Today he was working with a vendor which led him to look through the Network Threat Protection logs on his Windows 8 PC. He showed me that there are a bunch of blocked connections and wanted me to investigate them as he wants to know what's up with them.

I checked out a couple of client servers and they have the same type of entries in their logs. The Severity is either 10 or 15, the Direction is always Incoming, the Protocol is always UDP, the Remote Host is always an address like FE80:0:0:0:198A:37F6:A4ED:F99c and it and the Remote MAC may be the same for several entries but there are different ones in the log. Each Remote Host seems to use the same port for all of its connection attempts and most hosts use the same port but not all hosts do. Oddly enough, the Local Host address varies with some entries being the valid IPv4 address, some being very odd IPv4 addresses and some being IPv6 addresses.

There are always multiple occurences for each entry in the log with the Begin and End Times being about 1 minute apart. The Rule specified is predominantly the "Block all other IP traffic and log" rule, though there are a few instances of "Block Web Services Discovery" and "Block UPnP Discovery",

Does anyone have any idea what is going on here? None of the PCs are accessible from the internet and only the Exchange, RDP, and Edge servers are accessible from the internet. The whole site is well protected.

I'm trying to figure out if these are somehow legitimate blocks of intruders that are somehow slipping in or if SEP is blocking internal traffic that it really doesn't need to, or shouldn't, be blocking.

Jonathan

Operating Systems:

Comments 6 CommentsJump to latest comment

Brɨan's picture

The PCs probably have network discovery turned on:

http://windows.microsoft.com/en-us/windows7/enable...

For the others, you need to see what port this is happening over.

You can check the SEP 12.1 fw policy explanation for further detail as well

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH180569 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2012-02-02 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2012-02-02 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL http://www.symantec.com/docs/TECH180569

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JLeslie's picture

The PCs do have network discovery turned on. What I don't understand is why this is being logged in the SEP log on individual computers because the SEP firewall is disabled and the built-in Windows firewall is being used.

Does the SEP log contain events generated by the Windows firewall?

The ports used by the greatest number of events are 546 and 547 which equate to IPv6 DHCP.

Port 1900 is used by UPnP. I'm not sure why one computer would be trying to connect to another for UPnP purposes, but then I really don't know what all UPnP does.

So it seems to me that we can ignore these events, am I correct?

Jonathan

Jonathan

Brɨan's picture

Is a firewall policy still applied though?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

If SEP firewall is disabled those events should not be logged.  Can you go to add/remove programs and select sep , select modify and check if NTP component is enabled ( do you see a red cross on it)

I doubt that this machine has NTP installed but its not showing up in the console as it was not rebooted.

Please post a screen shot if possible.

SameerU's picture

Hi

In firewall UPnP rule  click Allow

Regards

SameerU's picture

Hi

Can you please update on the solution provided

Regards