Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to create a notification email for P2P applications which i blocked

Created: 03 Apr 2013 • Updated: 05 Apr 2013 | 14 comments
This issue has been solved. See solution.

Hi ,

I am using SEPManager version 12.1.1101.401. Recently decided of blocking P2P applications in my office network and I have used the below steps to do so:

3. Blocking Peer to Peer Traffic using Symantec Endpoint Protection Firewall.

You can block the P2P traffic using Symantec Endpoint Firewall in this case even if the user has any P2P applications installed those applications won't be allowed to connect to the internet. Since it is very difficult to track the port number for the application as they can be easily changed by the user. So you can block the Inbound/Outbound traffic from the P2P processes.

In the Symantec Endpoint Protection Manager go to Policies -Firewall -Edit Firewall Policy - Rules- Add Rule -Click Next

In the Rule type select Application and click next

Select Define an Application and Click Next

In the File Name type the name of the process and click Next

Click Add More and add the name of other P2P application processes.

Click Finish.

Rename the rule to something like "Blocking P2P" so that you can identify.

Under Action change Allow to Block.

Under Logging Change it to "Write to Traffic Log".

 

I also checked "Send Email alert" in logging. And i have successfully blocked all the P2P applications. But i am not getting any email regarding the blocked application.

Should i create a notification separately for this rule?? My requirement is i should be getting an email from symantec when ever it blocks the specified application.

Note: I have already configured mail server and i am getting mails like client change update, risks etc.,

 

Please help me to configure a mail alert that sends mails every time it blocks the listed P2P applications.

 

Thanks in advance,

Anoop Jeevan.

Operating Systems:

Comments 14 CommentsJump to latest comment

.Brian's picture

did you configure an email server in SEPM?

Go to Admin tab >> Select your SEP server and click Edit the server properties

On the Email Server tab, make sure to set this accordingly.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

anoopjeevan's picture

Hi Brian81

Yes, i have already configured email server in SEPM and i do get mails everyday for "computer list change" & "risk detected" etc.

What i require now is where should i create a trigger that sends a mail to me when a P2P application is blocked.

Thank you.

Anoop jeevan.

.Brian's picture

Add a client security alert

Monitors page >> Notifications >> Notification Conditions

Select Add >> Client Security Alert

Check the 'Traffic Events' box and edit everything else as you see fit

 

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

anoopjeevan's picture

Hi brain81,

 

thank you for your reply, the client security alert looks like have general notifications, is there any option to create separate notification to the list of applications i have blocked.

Thanks very much,

Anoop Jeevan.

.Brian's picture

Per this KB article, it should be setup this way

Setting up notifications for firewall rule violations

Article:HOWTO81221  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO81221

 

If you setup an email for only that rule, than that is what you will get email alerts on. Shouldn't get it for anything else, unless you configure it that way.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
anoopjeevan's picture

Hi brian,

 

I have already configured the settings, i am attaching screenshot.please check. So i have opened those applications in laptop for testing but i am not going any mail.

 

Thank you,

ANoop Jeevan

firewall.jpg
.Brian's picture

Did you also create the security alert in the Monitors page? Check the KB I linked above

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

anoopjeevan's picture

yeah, i have configured security alert too. check the attached screen shot

 

please suggest changes if any

alert.jpg
.Brian's picture

Do you have traffic events configured to be sent to the SEPM?

Clients page >> select your group >> Policies tab >> Under Settings click Client Log Settings

Under Traffic Log, do you have 'Upload to Management Server' box checked?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Seems odd as that should work.

Out of curiosity, is it showing up in the log on the client and in SEPM?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

anoopjeevan's picture

Yes brian,

i could see bittorrent being blocked in networkthreatprotection-trafficlog on client side

and in SEPM i dont know where to check for traffic logs,please assist

 

.Brian's picture

Monitors >> Logs

Set Log Type to Network Threat Protection

Set Log Content to Traffic

Click View Log

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

anoopjeevan's picture

Yeah, i could see bittorrent being blocked in SEPM logs also.

 

wonder what went wrong with mails