Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to?

Created: 07 Jun 2012 • Updated: 07 Jun 2012 | 5 comments
This issue has been solved. See solution.

how to create a rule to Filter or block ICMP Timestamp (Type 13)?

Comments 5 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

To BLOCK ICMP Timestamp (Type 13) Create a Rule in Symantec Endpoint Protection Firewall Polciies

To do so, 

Click on Create a Blank Rule First and a "Rule 0" would be created. and make the necessary changes to this Rule as below:

  • Enabled: YES
  • Action: BLOCK
  • Severity: 10-Minor
  • Application: Any
  • Host: Any
  • Time: Any
  • Service: Click on ADD, Select ICMP [Type=; 13] and Select the packet direction
  • Adapter: All Adapters
  • Screen Saver: Any
  • Logging: None
  • Created At: Shared

 

 

However, Allow ICMP Type 8 and 11 is the default Firewall Rule in SEP 12.1

Rule Name: Allow ping, pong and tracert
Enabled: YES
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: ICMP [Type=0; incoming]
ICMP [Type=8; outgoing]
ICMP [Type=11; incoming]
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Check this Article: http://www.symantec.com/docs/TECH91729

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pete_4u2002's picture

you need to add ICMP 13 code as a service.to do that I have attached screen references.

Login into SEPM console ---> click on POlicies ---> highlight Network services ---> Add new Network services.

Below are the references

 

 

 

Once added , create a firewall rule to configure the traffic as you want. In the services highlight ICMP you just added.

Simpson Homer's picture

 

Problem

You want to know what the default system-wide settings are for the Network Threat Protection Firewall in Symantec Endpoint Protection 11 

Symptoms
These are the default system-wide Network Threat Protection rules for Symantec Endpoint Protection. They can be found by going through the following procedure:

1. Log into the Symantec Endpoint Protection Manager
2. Selecting Policies from the left hand column
3. Under View Policies select "Firewall"
4. Double click the "Firewall policy"
5. When the policy opens select "Rules" on the left hand column.

System-Wide Settings (15 default rules)
These are the default system wide firewall rules.

Rule Name: Any Application (please note this rule only exists on unmanaged clients running RU5)
Enabled: NO
Severity: 5-Major
Application: Any
Host: Any
Time: Any
Service: Any
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: Write to Traffic Log
Created At: Shared

Rule Name: Block IPv6
Enabled: YES
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: Ethernet [Protocol=0x86dd]
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: Write to Traffic Log
Created At: Shared

Rule Name: Block IPv6 over IPv4 (Teredo)
Enabled: YES
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: UDP [Remote=3544]
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: Write to Traffic Log
Created At: Shared

Rule Name: Block IPv6 over IPv4 (ISATAP)
Enabled: YES
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: IP:[41]
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: Write to Traffic Log
Created At: Shared

Rule Name: Allow Fragmented Packets
Enabled: YES
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: IP:[Fragmented Packets]
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Rule Name: Allow Wireless ESPOL
Enabled: YES
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: Ethernet:[Protocol=0x888e]
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Rule Name: Allow MS Remote Access and Routing ARP Driver Any
Enabled: YES
Severity: 10-Minor
Application: wanarp.sys
Host: Any
Time: Any
Service: Any
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Rule Name: Block Local File Sharing
Enabled: NO
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: TCP[Local=139,445]
UDP[Local=135,137,138]
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: Write to Traffic Log
Created At: Shared

Rule Name: Block Remote Administration
Enabled: NO
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: TCP[Local= 135]
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: Write to Traffic Log
Created At: Shared

Rule Name: Allow All Applications
Enabled: YES
Severity: 10-Minor
Application: *
Host: Any
Time: Any
Service: Any
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Rule Name: Allow ping, pong and tracert
Enabled: YES
Severity: 10-Minor
Application: Any
Host: Any
Time: Any
Service: ICMP [Type=0; incoming]
ICMP [Type=8; outgoing]
ICMP [Type=11; incoming]
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Rule Name: Allow VPN
Enabled: YES
Severity: 5-Major
Application: Any
Host: Any
Time: Any
Service: VPN - - - PPTP
VPN - - - Check Point
VPN - - - NetScreen
VPN - - - Cisco 5000
VPN - - - Cisco 3000
VPN - - - Nortel
VPN - - - Aventail
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Rule Name: Allow all other IP traffic
Enabled: YES
Severity: 15-Information
Application: Any
Host: Any
Time: Any
Service: IP:
Adapter: All Adapters
Screen Saver: Any
Action: Allow
Logging: None
Created At: Shared

Rule Name: Don't log broadcast and multicast traffic
Enabled: YES
Severity: 15-Information
Application: Any
Host: Local:FF-FF-FF-FF-FF-FF
Local: 224.0.0.0-239.255.255.255
Time: Any
Service: IP:
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: None
Created At: Shared

Rule Name: Block all other traffic
Enabled: YES
Severity: 15-Information
Application: Any
Host: Any
Time: Any
Service: IP:
Adapter: All Adapters
Screen Saver: Any
Action: Block
Logging: Write to Traffic log
Created At: Shared
 

 

SOLUTION
la_ripper's picture

Okay that rule is already there. Rule 20. I am getting an error when we do a Retina Scan (vulnerability scan) that we need to filter the ICMP timestamp. It says use your endpoint software to complete this task.

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

pete_4u2002's picture

i believe you added the rule, bring it to the top and ensure it is enabled.