I have a firewall rule configured in SEPM to log all traffic on all adapters for TCP ports 80 and 443. I'm doing this as a test because when I look at my Network Threat Protection log nothing is there. This rule I've created is set as number 1 in the list of rules. My computer is the only member of this test group. I still have an empty NTP traffic log. I am using version 12.1.1x and I've told my workstation to update its policy. The timestamp appears correct in SEPM.

Comments, suggestions or thoughts?

Lawson...

Empty log on client or in SEPM?

If SEPM, go to the group your machine is in and select the Policies tab

Under Settings on the right, click on Client Log Settings

In here is where you configure logging for client to send to SEPM, make sure "Upload to management server" is checked.

if on client, go to your firewall policy and select the Rules tab

For whichever rule you want to log, make sure for the Log column it is set to "Write to traffic log"

Brian81 - Thank you for a speedy reply! The log on my workstation is empty. I have verified that the Write traffic to log is selected, and I've selected the Traffic Log. I came across this when I was trying to view the log of a different workstation this week and there was nothing present on SEPM. When I checked my workstations 'on board' log, it contained nothing. That is why I created a new rule for port 80, 443 traffic as a test.

I have recently modified the max log size settings. Could there be a bug in that if too large a number is chosen? I have it set to 2056.

Shouldn't be a bug, I have mine set to much larger.

Hmm, as long as the policy number on the client matches what is in the SEPM, than that should be fine.

And you have NTP component obviously otherwise you wouldn't see the option to view logs...

Do you have a firewall policy assigned to the test group? If you don't, it is essentially in "bypass" mode.

Do you have other rules in the policy as well or just this? Did you create a separate policy for the test group?

I just noticed that the Windows Integration setting was set to leave the Windows Firewall running. I think this may be part of the issue. I've changed that setting and rebooting my computer. Yes, I have a non-shared FW Policy for the test group. It contains a copy of the Parent FW Policy, plus the rule I added for port 80, 443, which I set to number 1 position. I think after this reboot I'm gong to see entries; I hope.

it is possible that they were conflicting with one another but I would think you should still see the logging in the SEP traffic log

I've rebooted with no change, and I've uninstalled/reinstalled SEP on my workstation. Still not logging traffic. Also, I have it set up to where SEP FW was supposed to disable the Windows Firewall, and I also had it set to notify me when WFW was being disabled. I did not receive a message, nor did SEP disable WFW. So I disabled it in the Services snap-in and rebooted again. WFW is off, SEP FW is running, but still no logging.

I know it is picking up settings from SEPM because yesterday I had to enter the password for uninstalling SEP into SEPM and my workstation picked up the configuration change. I'm out of ideas as to why the SEP FW isn't logging events. My main concern is that other workstations may be experiencing this same anomaly, which would not be a good thing from a forensics perspective.

Do you have network threat protection component installed?

How to check for 80 and 443 events?

do you just open up a browser and try to access websites?

check this document

How to configure which events are logged on the Symantec Endpoint Protection (SEP) Firewall logs

Rafeeq - Yes, NTP is installed. Yes, I open my browser which has about 7 different web sites in the startup setting so there should be a flurry of Port 80 traffic being logged. I've created a copy of our main firewall rule set, renamed it and assigned it to the Port 80 Test group in SEPM. I've verified the policy version on my computer with the one assigned to the test group in SEPM. Still no logging is happening.

Not sure if it was mentioned but are you browsing thru a proxy over a different post, such as 8080? This could explain it if so.

Brian81 - I've tested while on VPN to our corporate network and also while off of it. In both cases logging is not taking place. I wonder if I deleted the log file on my computer if it would start a new one fresh? Maybe it's a simple file corruption issue. I do not know if removing SEP also removes these logs; if it does then technically speaking, the log has already be created anew.

Shall we try to create a rule to block something to check if that puts up some logs

whats the log retension setting on your SEPM?

We can do that but the last entry in the rule set is "Block All Other Traffic" and that usually creates quite a bit of content, which isn't happening either. The maximum log size is something like 2056 and retention is 14 days.

I should also mention that I checked with my Supervisor and his workstation is logging NTP traffic. At that time my comptuer was a member of the same group in SEPM. I subsequently created the test group so that I could concentrate on my machine. I know of one other computer that isn't logging either, so it's hard to tell how widespread this issue is.

Disable tamper protection and enable the NTP logging

TSE debugging

To enable Extended TSE Debugging for Network Threat Protection, stop the SMC process (smc -stop) and import this registry setting.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE]
"ExtendedDebug"=dword:00000001

Start the SMC service (smc –start)

http://www.symantec.com/business/support/index?page=content&id=TECH102412

Okay - that is done and I set the log size to the maximum.

now  ping -l 65000 <target PC>, it should show up in your NTP logs

The log is still empty. :-(

I've set the Port 80 rule to Ask so I can have some kind of verification that the rule set it being imported to my workstation.

any details in the bebug log we set earlier? i'm also out of ideas.

how do you check logs ? remote desktop? console session?

also check if this throws some error related to Dcom

http://www.symantec.com/business/support/index?page=content&id=TECH91280

This is sounding like a bug of some sort or perhaps a check box was missed somewhere. Running out of ideas though, perhaps a call to support so they can remote to you and review.

I was going to ask you about how to view the debug log but I'm sure I can figure it out. Thanks for reaching out!

• Its log is in the product install directory and is named debug.log