Video Screencast Help

SEP Hidden Firewall Rule

Created: 23 Apr 2013 • Updated: 23 Apr 2013 | 4 comments
SMLatCST's picture

There appears to be a hidden firewall rule to always allow the SEP client to heartbeat to the SEPM.

i.e. Even with a firewall rule that blocks all traffic as priority 1, a client is still able to heartbeat.

Does anyone have any documentation on this rule?  As far as I can tell, this is locked to the smc.exe process, but are there any other conditions/triggers on it (filehash/directory/port/service/remote host/etc)?

<EDIT> Referenceable documentation is what I'm after, for purposes of design rationale </EDIT>

Thanks all!

Operating Systems:

Comments 4 CommentsJump to latest comment

_Brian's picture

Set the client to Mixed Mode so you can view the firewall rules. Follow this KB article:

How to view the firewall rules on a managed SEP client.

Article:TECH104877  |  Created: 2008-01-07  |  Updated: 2012-04-24  |  Article URL http://www.symantec.com/docs/TECH104877

 

You also may need to enable TSE debugging

Steps are here:

How to debug the Symantec Endpoint Protection client

Article:TECH102412  |  Created: 2007-01-06  |  Updated: 2013-03-27  |  Article URL http://www.symantec.com/docs/TECH102412

 

What happens if you block 8014?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

 

Hey Brian,

I'm giving you a "Thumbs Up" for your PM rather than the above post.  As you're well aware, the hidden rule applies with a higher priority than anything a SEP admin can apply, so any rules we make have no impact.

Just FYI for others, at least one other instance of hidden SEP FW rules is identified in the below article:
http://www.symantec.com/docs/TECH158340

Still would like documentation if any exists

_Brian's picture

Can't find any other documentation on this specifically other than what I posted or you posted but after testing this a bit, it appears Symantec process are exempt.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

Yeah, that's consistent with my the results of my own testing.

To be fair, for the purposes of documentation, I just need a statement from Symantec that certain actions are always allowed through the SEP Firewall and what they are, not necessarilly how the rule is configured.