Some of our end users can't print at home because SEP firewall block printing.

User get notification:

The client will block traffic from ip address 192.168.1.74 fo the next 600 seconds.

Client log:

Somebody is scanning your computer. Your computer's UDP ports: 51502, 51512, 51513, 51526 and 61231 have been scanned from 192.168.1.74.

What kind of rule we should create that printing is succesful?

Hi,

What sep version are you using currently ?

traffic should be allowed, go to the Firewall policy ---> Protection and stealth settings--> uncheck 'Automatically block an attacker's IP address'

Look this discussion

https://www-secure.symantec.com/connect/forums/block-ip-0

Hi

Please install the latest version SEP 12.1.2 MP1

Regards

Hi

SEP version is 12.1.100.157 RU 1

uncheck 'Automatically block an attacker's IP

Is that safe? We have 750 clients.

Hi

Can't do that because of company policy.

And if we can then users can print after apply this latest version?

Hello,

Intrusion Prevention Signature is automatically blocking an attacker’s IP address. It blocks network traffic from the attacker for a configurable duration (default 10 minutes)

To create an exception for Intrusion Prevention Policy to allow a specific ID:

1. Open Symantec Endpoint Protection Manager console .
2. Select 'Policies' tab.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab. 
6. Click on 'Add...' button.
7. Search and select ID blocked.
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

And you can upgrade 12.1.100.157 RU 1 to SEP 12.1.2

Hi

Alright I can test exception. But how I can find right ID what was blocked?

br

Toni

hello,

Please Add the Following IP in Intrusion Prevention System's Exception policy.

That is not good idea. IP could change all the time. Can I see somewhere what was the ID and signature name what was blocked?

It looks to be blocked due to a port scan being detected. You will need to add the printer as an excluded host

Setting up a list of excluded computers

Hmmmm, that's going to be a difficult one.  Google is not providing any relevant results for me.  I suspect the printer is likely just pinging out it's availability, but that this is being interpreted as an attempted port scan.  Can't be sure though.

The main issue is that you cannot know what kind of printer your users have anyway, so even if you get this one printer to work, it may not apply to others.

You can't allow the IP address as this is in your users' homes and you cannot know what IP the printers will be using.

Disabling the port scan detection within the FW policy might be an option, but obviously lowers the security profile.  You may be able to mitigate this increased risk by applying more stringent firewall rules however.

The printer likely is using its "network discovery" setting. You can probably turn this off as well but would need to refer to the manual on how to do this.

Hi

Thanks a lot for help. We need to think what we should do.

This case is done.

Thank you

Toni