Funny issue with NTP

This issue has been solved. See solution.
Abhishek Pradhan's picture
Abhishek Pradhan
August 10th, 2009

Hello Folks,

I'm facing a rather queer issue with the NTP component / signatures for SEP. It seem to be blocking traffic from my test systems to the site LinkedIn. If I switch NTP off, the site can be accessed properly.

I worked with a wireshark capture, and also tried analyzing the Traffic logs for SEP (NTP), but cant seem to figure out what the heck the issue is.

Anyone else face the same problem?

Filed under: , , , , ,
0 votes
JL-S's picture
JL-S
14 weeks 5 days ago

Hi Pradhan,    I would

Hi Pradhan,

   I would suggest you try disabling the firewall policy on the SEPM and then activate NTP on the client that is having the problem.

If you still can not access the website then the problem might be with IPS.

If you can access it, then it's definitely one of your firewall rules that blocks it.
Make sure all rules are set to log matches to the traffic log.
Then enable the Firewall policy again. Try going to the website and then check traffic log.

If the firewall blocked some packets because they matched a rule, you will have an entry in the client's traffic log, the last column will contain the "guilty" rule (which you can then rethink)

--
Symantec Support
MCSE / CCNA

+1 (1 vote)
BharRie's picture
BharRie
14 weeks 5 days ago

If NTP is blocking, then I

If NTP is blocking, then I guess there has to be blocked log. could you please check in the logs?
This is would give an idea on the exception to be created

Bharrie,
Endpoint Protection
Symantec Corporation

-1 (1 vote)
Peterpan's picture
Peterpan
14 weeks 5 days ago

you should create a firewall

you should create a firewall policy to exclude the site from blocking

:-)

-1 (1 vote)
Vikram Kumar-SAV to SEP's picture
Vikram Kumar-SAV to SEP
14 weeks 4 days ago

Client mode or Unamanged

Put the client in Client mode or Unmanaged ...review the logs ...check which ecact policy is blocking the website then modify that policy.

Celebrating 2 years as a community member....

+1 (1 vote)
Abhishek Pradhan's picture
Abhishek Pradhan
14 weeks 4 days ago

Ok. Definately an issue with

Solution

Ok. Definately an issue with the Signatures for 30th July. I did a rollback to previous defs and its working now.....

Like they say, when the going gets weird, the weird turn pro.....hehe :D

Cheers and tks all for the inputs.

Abhishek Pradhan, MCT, PMP
ISMS Internal Auditor (ISO 27001), SIG Lead - Microsoft Pune User Group
http://hackatac.blogspot.com | http://www.puneusergroup.org
"You can always spot a happy biker by the bugs in his teeth....."

0 votes
SOLUTION