Endpoint Protection

So,

Short version is I divide things between Locations, in a External location Im going through a discovery of applications that I want to allow or disallow on this specific location. Is there a way I can

A) pull up a report

B) See what came up on a client for application access (Network Threat= PAcket or Traffic, doesnt matter)

C) Add that "User allowed, or Blocked" to a Global Rule

More or less, this is a very easy way to say, a user in my test bed, said "Yes, allow this traffic to happen". I want to take that response, and add it to a rule for "allow". Its almos like im asking for a componenet similiar to what wwe can do with Adding a Centralized exception to whatever policy.

Anyone know what im trying to do..

thanks in advance, as always

A) Yes you can view a report from the Monitors tab. Set the log content to Network Threat Protection and content to traffic

This will show all of your traffic from the users

B) Click View Log and it should give you all the info

C) There is no way to add the user to the rule from this screen (similar to how you can with risks)

The rules are all or nothing and apply to every PC in the group, unless when you build the rule, you specifically exclude that PC name from the rule. This you can do.

But there is no option to simply click and "Add to Rule"

Brian

Question for you

In a External Firewall Policy one of my rules allows a specific IP range, further down I have a "Prompt for Application Access" It seems this keeps coming up, despite the Source IP is suppose to have been globally "Allowed" in my first rule..

Any ideas, anyone?

Thanks, as always

Do you have Network Application Monitoring turned on? Sounds like it may be from this.

On the Clients page >> Policies tab, does NAP show as ON? One of the options is to "Ask" when an app change is detected.

If not enabled in the SEPM, it could possibly be enabled on just the client if it is in Client control mode

Good thought, checked and I'm clear

Not Enabled @ NAP, and Set to Server mode.

I did do this, let me know your thoughts.

I move the Allow all IP Traffic rule Above my Ask for every little thing rule...And set the IP range to what I want adding a Blanket TCP and UDP setting...I'm Thinking if you leave it blank, it allows any port, in the set Protocol..

Ok so it definitely is the Notification setting in the firewall policy.

And once you moved it above the Ask rule, it is still "Asking"?

anyone

Its still prompting, and not working as expected

Symantec, can you Respond please? Any advice

What do you mean that the rule "prompt for application access" will not go away - what happens when you delect it?

More or less, When the rule is in place, the prompt is not there (Expected behavior)

My Goal- Use this  "Prompt for application acces" to deliver a prompt to my end user for traffic not defined in my "Allowed Range". Whats happening is that Rules higher up the food chain, are not working as intended and as per my picture, not telling the next rule down, "that traffic is OK, lets not prompot the user"/

So back to my original issue or

I define a rule tht says Promopt for application access

I define a rule above that, critically 0, that says, Allow this entire Subnet range

My users prompt is originating from the range i said was "Ok"..

what am i missing

You would get it for the very first time, the the next pop up , there should be change. 

https://www-secure.symantec.com/connect/forums/network-application-monitoring-and-allow-and-log-all#comment-4148931

whats your  version  number?