Endpoint Protection

Hi ,

I am using SEPManager version 12.1.1101.401. Recently decided of blocking P2P applications in my office network and I have used the below steps to do so:

3. Blocking Peer to Peer Traffic using Symantec Endpoint Protection Firewall.

You can block the P2P traffic using Symantec Endpoint Firewall in this case even if the user has any P2P applications installed those applications won't be allowed to connect to the internet. Since it is very difficult to track the port number for the application as they can be easily changed by the user. So you can block the Inbound/Outbound traffic from the P2P processes.

In the Symantec Endpoint Protection Manager go to Policies -Firewall -Edit Firewall Policy - Rules- Add Rule -Click Next

In the Rule type select Application and click next

Select Define an Application and Click Next

In the File Name type the name of the process and click Next

Click Add More and add the name of other P2P application processes.

Click Finish.

Rename the rule to something like "Blocking P2P" so that you can identify.

Under Action change Allow to Block.

Under Logging Change it to "Write to Traffic Log".

I also checked "Send Email alert" in logging. And i have successfully blocked all the P2P applications. But i am not getting any email regarding the blocked application.

Should i create a notification separately for this rule?? My requirement is i should be getting an email from symantec when ever it blocks the specified application.

Note: I have already configured mail server and i am getting mails like client change update, risks etc.,

Please help me to configure a mail alert that sends mails every time it blocks the listed P2P applications.

Thanks in advance,

Anoop Jeevan.

did you configure an email server in SEPM?

Go to Admin tab >> Select your SEP server and click Edit the server properties

On the Email Server tab, make sure to set this accordingly.

Hi Brian81

Yes, i have already configured email server in SEPM and i do get mails everyday for "computer list change" & "risk detected" etc.

What i require now is where should i create a trigger that sends a mail to me when a P2P application is blocked.

Thank you.

Anoop jeevan.

Add a client security alert

Monitors page >> Notifications >> Notification Conditions

Select Add >> Client Security Alert

Check the 'Traffic Events' box and edit everything else as you see fit

Hi brain81,

thank you for your reply, the client security alert looks like have general notifications, is there any option to create separate notification to the list of applications i have blocked.

Thanks very much,

Anoop Jeevan.

Per this KB article, it should be setup this way

Setting up notifications for firewall rule violations

If you setup an email for only that rule, than that is what you will get email alerts on. Shouldn't get it for anything else, unless you configure it that way.

Hi brian,

I have already configured the settings, i am attaching screenshot.please check. So i have opened those applications in laptop for testing but i am not going any mail.

Thank you,

ANoop Jeevan

Did you also create the security alert in the Monitors page? Check the KB I linked above

yeah, i have configured security alert too. check the attached screen shot

please suggest changes if any

Do you have traffic events configured to be sent to the SEPM?

Clients page >> select your group >> Policies tab >> Under Settings click Client Log Settings

Under Traffic Log, do you have 'Upload to Management Server' box checked?

yes, it is checked.

Seems odd as that should work.

Out of curiosity, is it showing up in the log on the client and in SEPM?

Yes brian,

i could see bittorrent being blocked in networkthreatprotection-trafficlog on client side

and in SEPM i dont know where to check for traffic logs,please assist

Monitors >> Logs

Set Log Type to Network Threat Protection

Set Log Content to Traffic

Click View Log

Yeah, i could see bittorrent being blocked in SEPM logs also.

wonder what went wrong with mails