Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to allow mobile data card traffic in SEPM through firewall rules?

Created: 20 Dec 2012 | 14 comments

Hi,

We have SEPM 11.0.5 running with over 10.000 clients. Some of these clients are running SEP 11.0.5, other 11.0.7 and other v12.1.

Until recently, we have had not problem with any provider of mobile data cards in the world. The traffic being generated by them was not being blocked. But recently, some of our users in India have had problems with some newly purchased mobile 3G data cards, as their traffic is being blocked by SEP Network Threat Protection firewall component.

The problem I have is that, in the firewall log, the ETHERNET header is always different (sometimes it's 0xAAe, others it´s 0xA0B, others it's 0xA82, etc). So I can't create a policy based on the Ethernet header.

Can anyone suggest any other way of doing it?

Thanks!

Comments 14 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

check NTP logs.....and find out wich rule of firewall bloacking IT

Did you received any error Msg ?

Thanks In Advance

Ashish Sharma

bLuEJaY's picture

Hi Ashish,

Yes, this is the first thing I did. The rule blocking the traffic is the general one: "Block all other traffic".

.Brian's picture

Is it trying to use a specific port?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bLuEJaY's picture

Again, the port is also constantly changing: 2690, 2571, 2695, 19069, 41516, 49909, 52170, ...

I must say that the most repeated one is 2571. Information on this port is not relevant, it can be used by malware, but also by protocol CECSVC.

.Brian's picture

Can you dump the log into excel and post here? Just a few lines should do it so we can see the exact coding.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bLuEJaY's picture

Sure, here it is. Just a few lines, as an example.

AttachmentSize
NTPLog.xlsx 10.73 KB
.Brian's picture

See what happens when you create a policy based on Ethernet but leave the protocol type blank

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bLuEJaY's picture

I will try that, but... is that advisable really? Won't that allow ALL ethernet traffic?

.Brian's picture

That would be up to you. Easiest way is create the Ethernet policy but it sounds like you have multiple people using these cards so that will be a nightmare.

You could move these users into a custom group and apply the policy allowing this traffic only to them.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bLuEJaY's picture

Yeah, that's what I figured I would do too. I have created the policy, but I won't be able to test it until tomorrow. Thanks for the help, I will tell you tomorrow how it goes.

bLuEJaY's picture

Hi,

I tested that and it worked as a workaround. I created a specific group and move the machines that needed to use that 3g data card in there. This is just temporary until I can figure out exactly what policy works for this specific device.

Thanks for your help Brian. Appreciated. I don't mark this as solved because this is just a workaround.

hdablin's picture

Why don't you use application triggers in your firewall rules? As you have said, the ports a constantly changing, but I believe, that you have a limited number of applications that should be allowed to use these ports.

You can read about the application triggers in SEP Admin guide (please, see page 472). Please, look at the following article too: http://www.symantec.com/business/support/index?page=content&id=HOWTO81237#v10221886

Please, sorry for my poor English. It's not my native language.

bLuEJaY's picture

Thanks for the suggestion, but I don't think using application triggers for allowing traffic is really an option. I know about them and use them to block traffic from and to specific applications, but allowing traffic is too wide. I have no idea what these specific users will need to do (browse internet, ftp, whatever...).

SebastianZ's picture

For those following this thread:

12.1 RU2 MP1 introduces the fix for this issue:

New fixes and features in Symantec Endpoint Protection 12.1 Release Update 2 Maintenance Pack 1

Article:TECH204685  |  Created: 2013-04-03  |  Updated: 2013-04-12  |  Article URL http://www.symantec.com/docs/TECH204685
 
Systems are unable to connect to the network using 3G USB cards after installing Symantec Endpoint Protection firewall
Fix ID: 2949361
Symptom: Certain USB 3G cards require the configuration of extensive protocols to allow network traffic to pass through the firewall.
Solution: Updated Teefer to allow for traffic missing certain header components to be processed.