Endpoint Protection

Hello,

Firstly, i apologize for my english. I'm french so be forgiving.

I have a "problem" with my Symantec Endpoint Protection. We have thirty servers , and all of them have SEP.
The ip of the SEP server is 10.53.1.8.

All the others servers are in the same ip range.

And when i'm going on an other server (example 10.53.1.100) there is a message who said that the client will block the traffic from 10.53.1.8 for 600 seconds.
In french the exact message is : Le clients va bloquer le trafic provenant de l'adresse IP 10.53.1.8 pendant les 600 prochaine seconde( de XX/XX/XXXX 12:11:18 à XX/XX/XXXX 12:21:18) 

In english i can't be sure but by translation it's : "The client will block traffic from the IP address 10.53.1.8 during the next 600 second".

I don't understand why the SEP server want to scan the ports of the others servers. I launched a scan on it to be sure there is no virus (it's not done yet) but i don't think he's infected.

We also have a serious trouble with our network, so i asking myselft if this message is not the source of those problems.

Thank for your help.
 

It could be a misconfiguration on your SEPM.

You can disable this feature in your SEPM firewall policy until you get it figured out and if it's causing major network issues. Go into your firewall policy on the Protection and Stealth tab and uncheck "Automatically block an attacker's IP address"

Only those servers will block the SEPM server, nothing else should be blocked. However, yo umay need to elaborate on the other network issues you're having.

Hi,

Thank for your answer.

Just to be sure, this is this panel : http://www.noelshack.com/2016-30-1469774280-gggghyjfergher.png ? 

And when i uncheck this box, none of my servers will block attacker's ip address ?

They won't block the IP but you will still get alerts for port scanning.
 

Hi,

SEPM is not scanning your other servers. There must be some other application doing this. What's the role of this server? What other applications/ thrid party softwares are installed?

Provide the NTP logs from the affected clients .Share NTP traffic logs by exporting into excel sheet. Meanwhile also go through the list of allowed ports & block unnecessary open ports.  SEP is doing it's job but let's verify unnecessary ports are not open.

To collect traffic logs,  Navigate to SEP client GUI --> NTP --> Options --> View Logs --> Traffic log

If it's legitimate traffic you can set up a list of computers for which the client does not match attack signatures or check for port scans or denial-of-service attacks. Network intrusion prevention and peer-to-peer authentication allow any source traffic from hosts in the excluded hosts list. However, network intrusion prevention and peer-to-peer authentication continue to evaluate any destination traffic to hosts in the list. The list applies to both inbound traffic and outbound traffic, but only to the source of the traffic. The list also applies only to remote IP addresses.
 
Refer this guide to make this exception:  
http://www.symantec.com/docs/HOWTO81159

@Brian : OK thank i will try this and keep you informed

@Chetan Savade : The server is the Symantec server which allow the clients to do update or sometine like that. There is no others applications on this server. He's dedicated.

Sorry but i can't find the NTP options on SEP Client. Maybe i have the wrong version : http://www.noelshack.com/2016-31-1470125309-sepc.png

For the list of exception, i have to configure it through the SEP Server or all the clients ?

Thank for your help.