Endpoint Protection

Hello,

I am using SEP 12.1 RU1 MP1. I am testing network threat protection setup before I will deploy it on the servers. When testing, I have found unexpected records in NTP Traffic log.

There is a standard, not modified rule "Allow ping, pong and tracert" with Log option set up to "NONE" by default. However client log contains records created by this rule.

There is one more issue: the client log also contains regords from rule "Allow Ipv4 LLMNR from private IP addresses" with severity 3. I am completely confused because the SEPM policy rule named "Allow LLMNR from local ipv4 traffic" has Severity 10 and Log option set to "NONE".

Where do this records come from? How can I avoid them?

Perhaps your client is in Mixed Control or Client Control mode. Mixed Control means that the firewall rules of SEPM and client will be mixed (rule order depends on the blue line in SEPM firewall policy: rules above the blue line are checked first, then client rules and at last the SEPM rules below the blue line will take effect). In Client Control mode, only the client rules are in effect, the SEPM rules are ignored.

Check here:

Clients > [Group] > Policies  > Location-specific settings > Client User Interface Control Settings

If this setting is at Mixed Control or Client Control, the LLMNR rule probably stems from client firewall rule set. That is even more likely because an "Allow Ipv4 LLMNR from private IP addresses" rule is activated as a client firewall rule by default.

You can get rid of these entries if you switch to Server Control or disable corresponding client firewall rule.

All the above may be valid for the ping/pong rule issue as well, but I don't see such a default rule in Mixed/Client control mode at clients.

You can test your environment with different settings: Server Control, Mixed Control and Client Control. If suspicious entries only emerge in Mixed/Client Control, it's a client firewall rule that annoys you.

BTW, did you upgrade your SEPM/clients recently?