We recently set up a Spiceworks server and it is trying to scan/probe the servers.
SEP is giving this response back, shown in this image:
Where/how do I find in the SEPM Manager what ports SEP thinks it's being attacked on and how to enable them for this specific server IP of the Spiceworks server??
Thank you, Tom
thats from IPS,
Go to IPS there is an option to uncheck this or create a exclusion for your server.
http://www.symantec.com/business/support/index?page=content&id=TECH116730
Apologies, thats from Firewall rules,
open sepm
open firewall policies there an option to block attackers IP, if thats your server IP, you can uncheck that or create a rule to allow it.
This info shows in the Security log
In SEPM, you will find the log under Monitors > Logs > Network Threat Protection > Attacks > Event Type: Port Scan
I don't want to turn off that protection setting.
I do want to exclude the Spiceworks server IP address, where do I learn how to make a rule to do this??
The firewall rules go by what type of traffic, not where the traffic comes from...
You can create a firewall rule to allow the SW IP. You either allow ALL traffic from SW or you can allow specific ports if you know them.
Which specific one of the logs?? There's no log called 'security.' :) :)
I did this to allow all traffic in from the Spiceworks server, I'll see what happens.
If you're looking in SEPM, it's under Monitors >> Logs
Set the log type to Network Threat Protection
Set the log content to Attacks
It will show as a Port Scan
Otherwise it's on the Security log on the client itself
OIC -- I did this already, I just now found how to use the Details item to see the ports the scans were blocked on...thank you :) :)
Good deal, happy to help!