Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SEP firewall block printing in external network

Created: 06 May 2013 | 12 comments

Some of our end users can't print at home because SEP firewall block printing.

 

User get notification:

The client will block traffic from ip address 192.168.1.74 fo the next 600 seconds.

 

Client log:

Somebody is scanning your computer. Your computer's UDP ports: 51502, 51512, 51513, 51526 and 61231 have been scanned from 192.168.1.74.

 

 

What kind of rule we should create that printing is succesful?

Operating Systems:

Comments 12 CommentsJump to latest comment

W007's picture

Hi,

What sep version are you using currently ?

traffic should be allowed, go to the Firewall policy ---> Protection and stealth settings--> uncheck 'Automatically block an attacker's IP address'

Look this discussion

https://www-secure.symantec.com/connect/forums/blo...

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Toni Einiö's picture

Hi

 

SEP version is 12.1.100.157 RU 1

 

uncheck 'Automatically block an attacker's IP

 

Is that safe? We have 750 clients.

SameerU's picture

Hi

Please install the latest version SEP 12.1.2 MP1

Regards

 

Toni Einiö's picture

Hi

 

Can't do that because of company policy.

 

And if we can then users can print after apply this latest version?

W007's picture

Hello,

Intrusion Prevention Signature is automatically blocking an attacker’s IP address. It blocks network traffic from the attacker for a configurable duration (default 10 minutes)

To create an exception for Intrusion Prevention Policy to allow a specific ID:

1. Open Symantec Endpoint Protection Manager console .
2. Select 'Policies' tab.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab. 
6. Click on 'Add...' button.
7. Search and select ID blocked.
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

And you can upgrade 12.1.100.157 RU 1 to SEP 12.1.2

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Toni Einiö's picture

Hi

 

Alright I can test exception. But how I can find right ID what was blocked?

 

br

Toni

W007's picture

hello,

Please Add the Following IP in Intrusion Prevention System's Exception policy.

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Toni Einiö's picture

That is not good idea. IP could change all the time. Can I see somewhere what was the ID and signature name what was blocked?

.Brian's picture

It looks to be blocked due to a port scan being detected. You will need to add the printer as an excluded host

Setting up a list of excluded computers

Article:HOWTO81159  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO81159

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

Hmmmm, that's going to be a difficult one.  Google is not providing any relevant results for me.  I suspect the printer is likely just pinging out it's availability, but that this is being interpreted as an attempted port scan.  Can't be sure though.

The main issue is that you cannot know what kind of printer your users have anyway, so even if you get this one printer to work, it may not apply to others.

You can't allow the IP address as this is in your users' homes and you cannot know what IP the printers will be using.

Disabling the port scan detection within the FW policy might be an option, but obviously lowers the security profile.  You may be able to mitigate this increased risk by applying more stringent firewall rules however.

.Brian's picture

The printer likely is using its "network discovery" setting. You can probably turn this off as well but would need to refer to the manual on how to do this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Toni Einiö's picture

Hi

Thanks a lot for help. We need to think what we should do.

This case is done.

Thank you

Toni