SEP 12.1 firewall blocking
Sorry to bring an old post up, as this as already been asked, but we're also facing the same issue, and the previous post wasn't answered.
The solution envolved running wireshark on the affected workstations which is not feasible in my environment. As I'm receiving logs via Syslog, I guess the message might bring some clarification:
Feb 8 12:07:17 xxx.xxx.xxx.xxx Feb 8 12:07:00 SymantecServer xxxxxx: xxxxxx,Local: 0.0.0.0,Local: 0,Local: 01000C000000,Remote: 0.0.0.0,Remote: ,Remote: 0,Remote: 0011210CABF5,7,1,Begin: 2012-02-08 12:05:09,End: 2012-02-08 12:05:09,Occurrences: 1,Application: ,Rule: Block all other traffic,Location: Default,User: xxxxxx,Domain: xxxxxx,Action: Blocked
The field that normally identifies the protocol is reporting 7, which, if the log maintains it's structure, should refer to IP protocol number 7 or CBT (Core-Based Trees). The remote MAC is for a Cisco device but the local one is not listed in any vendors list.
I've allowed IP protocol number 7 on the firewall rules and no log but it still gets blocked logged. Can anyone help here?