Endpoint Protection Small Business Edition

 View Only

  • 1.  SEP blocking inbound traffic to VM in bridge mode

    Posted Sep 03, 2015 03:07 PM

    Hi,

    I have VM's running on my laptop (Host) in Bridge mode, when trying to access them from the host it works fine.

    when trying to access the VM from another machine on the same network as the host it is being blocked by SEP.

    shutting SEP down (sep -stop) and retesting work, wireshark shows traffic when sep is off / filter is allowed.

     

    for this example :

    SEP_VM.png

    my host : 192.168.100.1

    my VM : 192.168.100.224

    adjecent machine : 192.168.100.137

     

    Enabled debug logs and got this 

    2015/09/03 09:22:31.186 [11216:5992] TSE3049: *********DROP PACKET**********

    2015/09/03 09:22:31.186 [11216:5992] TSE: SecurityRule = Medium Security Level 1

    2015/09/03 09:22:31.186 [11216:5992] TSE3051: *** DROP PACKET ***

    2015/09/03 09:22:31.186 [11216:5992] ======== TsPacket ====== BA: 1 == protocol: 2 ===

    === EtherII Packet=== len:66==== nic:0=====

    34-02-xx-xx-xx-e0  ---> ac-b5-xx-xx-xx-2b , protocol = 0x800

    051BFAA0

    =========Tcp Segment, len: 32====

    192.168.100.137:49509 -> 192.168.100.224:22    SYN1 ACK0 FIN0 RST0 PSH0 URG0

    SeqNumber: 1292186017,  AckNumber:0,  TcpDataLen: 0, TcpHeadLen: 32

    checksum = 0x348a total sum = 0x0

     

    my question is, how can i allow all traffic to my VM's in bridge mode without SEP intervention.

    for all other scenarios i want SEP to work in normal mode. (host, VM in Host-only / VM in NAT interface)

     

        Thanks,

     

     



  • 2.  RE: SEP blocking inbound traffic to VM in bridge mode

    Posted Sep 03, 2015 09:07 PM

    Does adding an allow rule for the VMs to talk to one another not work?



  • 3.  RE: SEP blocking inbound traffic to VM in bridge mode

    Posted Sep 04, 2015 09:20 AM

    I have a rule that allow specific TCP port and it works, but the port is opened on the host too.

     

    My goal is to have all communication between VM to assessment machine enabled but no traffic / specific traffic only allowed to the host.

    in the current scenario of specific firewall rule I can access the VM on port XXXX, but I can also access the Host on that port.

     

    what I think I need is inbound traffic SRC->any to DST->any (on host)/except host IPs at PORT->any  and PROTO->any allowed 

     

       Thanks.

     



  • 4.  RE: SEP blocking inbound traffic to VM in bridge mode
    Best Answer

    Posted Sep 16, 2015 01:32 PM

    OK, made lots of progress ! (Solved)

     

    let's start from the debug log :

    2015/09/03 09:22:31.186 [11216:5992] TSE: SecurityRule = Medium Security Level 1

    the security rule is a firewall rule, implied rule when you select medium security level (block incoming traffic)

     

    another item I discovered that might also block inbound traffic if not selected is :

    firewall configuration -> Category : [Unmatched IP Traffic Setting], Item : [Allow IP Traffic

     

    to fix this issue i had to create a firewall rule, my laptop is used for security assessments on multiple environments so rule based on ports or IP would be too restrictive.

    what I did instead was to configure allow all inbound rule to the VM MAC address.

     

    note : for specific application on the host it would probably be better to use the application variable.

     

    troubleshooting and debugging note - when part of the enterprise policy (at least in SBS edition you don't see anything in traffic log), when your policy is open you can create log all rule to actually see the traffic on the SEP Client.

      that's it, works !

      hope it helps you....