Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

how to open ping in EP?

Created: 26 Dec 2007 • Updated: 21 May 2010 | 9 comments

I can't ping to my PC when I installed Endpoint Protection 11. I tried going to the network protection configuration but nothing about ping or ports to configure there.

So, how do I allow ping to my PC? Also, how to allow certain ports to come into my PC? Like for eg, I am hosting http server on my PC.

I tried Disable Symantec EP and ping works. When I enable ping blocked again. So it must be blocked by EP.



Message Edited by kfliong on 12-26-2007 01:57 AM

Comments 9 CommentsJump to latest comment

Paul Murgatroyd's picture

by default our ruleset allows outgoing traffic, but because ICMP isn't stateful we don't allow it back in - you would need to create a rule to allow ICMP command 0 incoming (echo reply) in order for ping responses to be received.

equally, you can create rules to allow traffic into your PC in the same way... post back if you need more assistance.

hth

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Tarsier's picture
On the SEPM/server that I just installed, the default firewall rules include the "ICMP: type = 0" setting (enabled).  The rule is enabled at the "Global" group level, and clients installed in our "Standard Clients Group" (set to inherit policies from the Global group) show that the same policy is applied to the group.  None of the clients in the group will respond to pings when SEP is enabled.  To try and get pings working, I added a rule to open port 7 (echo port) on both UDP and TCP, and that made no difference.  The firewall rule "says" that ICMP is fully enabled (types 0, 8, and 11), but ping is still blocked.  Windows firewalls are turned off, and pinging only works when SEP is disabled.
 
How do we really enable ICMP if the firewall says it's enabled, but it still doesn't work?

---------------- Things turn out best for the people who make the best of the way things turn out. -John Wooden-

kfliong's picture

Can you please teach me how to allow ping or certain IP into client PCs? I am now testing EP on my PC and do not have the EP server installed yet. But our license does allow us to upgrade. So, I would like to make sure this new version is working fine before upgrading all the client PCs and servers.

Tecks's picture

I am also having trouble with this. I am not sure the steps or where to create the rule. Any help would be greatly appreciated.

thavaht's picture

Did you ever get the answer to this question? I've changed from Corporate Edition to EP and I'm facing the same problem.  I've tried the documentation but still in trouble. Need a help, thanks in advance.



Message Edited by thavaht on 06-17-2008 01:13 PM

Michael Wozniak's picture

From what I have been told from a support representative is that the firewall portion of EP is not meant to be run in unmanaged mode.  There are no rule management interfaces on an unmanaged client that will allow you to configure that part of the software.  I ended up uninstalling EP and re-installing without the firewall portion.  If you are going to run the client under the management of an EP server, you should be able to configure the rules there.  I currently do not have an EP server running, so I can't tell you how easy or difficult this is.

Abhishek Pradhan's picture

How ping works at the grassroot level -

When the ping program begins execution, it opens a raw socket sensitive only to ICMP. This means two things:

On output: the sending of ICMP Echo Requests, the program is required to format the ICMP message. The system will provide the IP header and the Ethernet (usually) header.
On input: the program must examine all ICMP messages coming in and cull out the items of interest.


Allow ICMP in the firewall ruleset, and move the rule to the top of the effective ruleset.


Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

thavaht's picture

In fact, as refered by Tarsier on 12-26-2007, after server installation, the default firewall rules include ICMP (types 0, 8, and 11) enabled. All I've done is to Move Up the rule to the top; however nothing changed. To ping a client I have to disable the Network Threat Protection on it (?).

Kelel's picture

It's simple resolution for this. You must open firewall rules for your group policy. Find default ping rule (in my case it is 9 rule), next go to under "service" column and open it. Now change the ICMP type=8 (the packet direction) from default outgoing to incoming. Updates yours clients and enjoy.