Video Screencast Help

Custom IPS Signature for allowing traffic on UDP port 161

Created: 19 Jun 2013 • Updated: 19 Jun 2013 | 8 comments

Hi recently I have some equipment which utlises port 161 to transfer data into my server. Somehow SEPM is blocking the traffic on port 161. I should create a custom IPS signature to allow traffic on this port ?

 

If yes, should i leave the content syntax blank so that it will allow all traffics at this port ? 

I search through the forum and usually the disccussion is on blocking of ports, websites and services. please help. Thank you

Operating Systems:

Comments 8 CommentsJump to latest comment

.Brian's picture

This is a rule that would need to be configured within the SEP firewall, not the IPS.

The IPS blocks signature based traffic. You can check the Security log on the client to see if any signatures are being triggered but this sounds like firewall is doing the blocking. The Traffic log would confirm.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

EvanChye's picture

Thank you for the prompt reply, I will do a check on the system tomorrow. Thank you.

EvanChye's picture

so in short IPS signatures are used to block website and not ports traffic ?

.Brian's picture

This is the job of the firewall. The IPS scans network streams looking for exploits and attacks and blocks those. The firewall would block the ports.

Within SEP, the firewall is the likely culprit here. Unless there was specific attack taking place on the mentioned port. The Security log would show what signature was triggered and the Traffic log would show the firewall activity.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

IPS would block network based attacks based on signatures. firewall will block ports based on rules allow or deny.

You need to create firewall rule or modify the existing rule which is blocking the connection. you can see that in logs on clients logs tab

here is the screen shot

https://www-secure.symantec.com/connect/forums/opening-ports-symantec-endpoint-manager-firewall

EvanChye's picture

hi there, i have took some screen shot of my problems.

 

It shows denial of service from the security log. Somehow i could not attach the file from my company connection. will try again later.

.Brian's picture

You can create a firewall rule to allow the traffic on that port.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

EvanChye's picture

the screen shot. Somehow it did not work on my own phone network too..

 

Okay i will try on the firewall rule and see how it goes. thanks for the advise