Endpoint Protection

 View Only

  • 1.  SEP 12.1 Clients always request the SSL connection to 216.10.195.167

    Posted Mar 09, 2012 03:27 AM

    I have found under firewall logs, SEP12.1 clients always request the SSL connection to 216.10.195.167 (It seems Symantec's server). Please explain me. This connection for what?

    Thanks



  • 2.  RE: SEP 12.1 Clients always request the SSL connection to 216.10.195.167

    Posted Mar 09, 2012 03:46 AM

    Is it checkpoint firewall.... ?

     

    If you use Checkpoint firewall, Some issue with SEPM12.1.

    Try to upgrade to SEPM 12.1 RU1

     

    For your reference : issues resolved in SEPM 12.1   RU1

    http://www.symantec.com/business/support/index?page=content&id=TECH174565

    http://www.symantec.com/business/support/index?page=content&id=TECH167057

     

    Regards

    Santhosh



  • 3.  RE: SEP 12.1 Clients always request the SSL connection to 216.10.195.167

    Broadcom Employee
    Posted Mar 09, 2012 03:51 AM

    https://216.10.195.167   it redirects to Symantec  Security response page i.e. http://www.symantec.com/security_response/



  • 4.  RE: SEP 12.1 Clients always request the SSL connection to 216.10.195.167

    Posted Mar 09, 2012 03:59 AM

    I must answer my customer. For What?

    To Santhosh - Yes, it is checkpoint, But all clients are 12.1RU1 and don't have any problem with VPN client.

    Cheers



  • 5.  RE: SEP 12.1 Clients always request the SSL connection to 216.10.195.167

    Broadcom Employee
    Posted Mar 09, 2012 04:07 AM

    it might be Symantec Security Response page on the SEPM home page to reflect. for clients what was the traffic, may be running wireshark could help,.



  • 6.  RE: SEP 12.1 Clients always request the SSL connection to 216.10.195.167

    Trusted Advisor
    Posted Mar 09, 2012 05:36 AM

    Hello,

    Could you right click on the same and "back trace" it and then click on "who is".. that would provide you the required info.

    216.10.195.167 is a symantec server.

    https://216.10.195.167  = https://stnd-avpg.crsi.symantec.com

    Check this article:

    Required exclusions for proxy servers to allow Symantec Endpoint Protection to connect to Symantec reputation and licensing servers

    http://www.symantec.com/docs/TECH162286

    It states : 

    The following URLs should be exclusions in the proxy server configuration to allow the traffic described below to the Symantec servers:

    Ping submissions: These submissions are per definition type (AV for example.) and allow Symantec to judge the effectiveness of a set of definitions that are not yet taking any action (Beta detections.) based on the number of "Pings" each detection/definition creates. For example, if a detection creates a storm of ping replies to Symantec, this detection may be a false positive detection and will be investigated for effectiveness.

    This system and related URLs are part of Symantec's false positive avoidance system.

    • https://stnd-avpg.crsi.symantec.com

     

    Hope that helps!!!