SEP Network Threat Protection blocking network unexpectedly.
Created: 15 Mar 2010 | 15 comments
Hi.
SEP Network Threat Protection blocking network unexpectedly after running a day or so on client.Is there anyone how can help me with my problem? Got problem with unwanted, unexpected blocking of nettraffic on clients.When restarting, the client works find during the workday, the next day all application who need a netconnection fails. This happens on client with SEP Network Threat Protection installed and enabled, those who don’t have network protection installed works fine. We are using SEP 11.0.5.333 on WinXPSP3 and Server2003R2sp2
SEP Network Threat Protection blocking network unexpectedly after running a day or so on client.Is there anyone how can help me with my problem? Got problem with unwanted, unexpected blocking of nettraffic on clients.When restarting, the client works find during the workday, the next day all application who need a netconnection fails. This happens on client with SEP Network Threat Protection installed and enabled, those who don’t have network protection installed works fine. We are using SEP 11.0.5.333 on WinXPSP3 and Server2003R2sp2
I’m grateful for tips on this matter.
Regards GWD ;D
discussion Filed Under:
Comments
Check the Traffic and packet
Check the Traffic and packet logs, see what traffic is generated during this period that SEP NTP is blocking, Then we can create exceptions for that
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Thank you both for
Thank you both for your
Thank you for your reply.
I looked for all entries in the traffic log, 2016 records, the first at 9. mars. In the traffic log all entry are like the 12. and the 15, except for two entries at the 13. Who has different mac addresses. In the packet log, there is no entries.
As far as I can see this, the blocking of traffic is not a consequence of rules, but something happens during the nights, at different time. By looking in the eventlog I can see that there is problems with contacting the domain.
Only on those who has the NTP installed this occurs, and mostly for those who keeps the computer on to next day, exceptionally some got this problem during daytime, after some hours work. I have installed NTP on a stationary for testing this as well, and every morning I have problem.
I’m grateful to further ideas in this matter, thank you.
Regards GWD ;D
Traffic log
15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xD99] 0.0.0.0 14-03-D8-A4-38-17 0 0.0.0.0 17-0D-98-02-0A-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xFE08] 0.0.0.0 02-03-46-62-12-38 0 0.0.0.0 61-12-38-BE-08-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
From the NTP logs find out
From the NTP logs find out which is rule blocking the traffic and modify it to allow the traffic.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Thank you for your
Thank you for your reply.
I looked for all entries in the traffic log, 2016 records, the first at 9. mars. In the traffic log all entry are like the 12. and the 15, except for two entries at the 13. Who has different mac addresses. In the packet log, there is no entries.
As far as I can see this, the blocking of traffic is not a consequence of rules, but something happens during the nights, at different time. By looking in the eventlog I can see that there is problems with contacting the domain.
Only on those who has the NTP installed this occurs, and mostly for those who keeps the computer on to next day, exceptionally some got this problem during daytime, after some hours work. I have installed NTP on a stationary for testing this as well, and every morning I have problem.
I’m grateful to further ideas in this matter, thank you.
Regards GWD ;D
Traffic log
15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xD99] 0.0.0.0 14-03-D8-A4-38-17 0 0.0.0.0 17-0D-98-02-0A-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xFE08] 0.0.0.0 02-03-46-62-12-38 0 0.0.0.0 61-12-38-BE-08-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
Thank you both for your
Thank you both for your reply.
I looked for all entries in the traffic log, 2016 records, the first at 9. mars. In the traffic log all entry are like the 12. and the 15, except for two entries at the 13. Who has different mac addresses. In the packet log, there is no entries.
As far as I can see this, the blocking of traffic is not a consequence of rules, but something happens during the nights, at different time. By looking in the eventlog I can see that there is problems with contacting the domain.
Only on those who has the NTP installed this occurs, and mostly for those who keeps the computer on to next day, exceptionally some got this problem during daytime, after some hours work. I have installed NTP on a stationary for testing this as well, and every morning I have problem.
I’m grateful to further ideas in this matter, thank you.
Regards GWD ;D
Traffic log
15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xD99] 0.0.0.0 14-03-D8-A4-38-17 0 0.0.0.0 17-0D-98-02-0A-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xFE08] 0.0.0.0 02-03-46-62-12-38 0 0.0.0.0 61-12-38-BE-08-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
Keep the rule "Block all
Keep the rule "Block all other traffic" as the last rule in the firewall policy and try.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Hi again. I have made no
Hi again.
I have made no changes to the default rules, and the rules can only be changed from the management console. The latest rule is “block all other traffic”
;D
Are you facing any particular
Are you facing any particular problem because of this?
Some applications not working etc....
Your logs look like there is some unwanted traffic is present in the network and SEP is blocking it..
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Hi . I got problem with all
Hi .
I got problem with all programs who need a network connection, when the problem occurs. This unwanted traffic, I don’t know what it is, no mac address, this is strange.
Thanks, regards ;D
Just for testing set the
Just for testing set the action for “block all other traffic” as allow and see..
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Allowed
Ok, so is done, and then we have to wait until tomorrow for the result.
;D
Hi. I’m not an
Hi.
I’m not an experience user here ;D So I just discovered the possibility of file attachment, so then I hope my policy file can clarify some here.
Thanks
Regard GWD ;D
.dat didn’t work, so I renamed the file.
Last night
Hi.
Since yesterday I have run NTP on my PC with allowing gall other traffic, showing in the log, It makes no different. When disabling NTP the traffic starts on the net immediately, most off the application are down, but some I can run again.
There is no entries in the packets log, but the traffic looks like this.
There is no newer entries then this record, looking at this at 0735 this morning
16.03.2010 19:14:32 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 19:14:21 16.03.2010 19:14:21 Block all other traffic
Regards GWD ;D
Traffic log
16.03.2010 10:39:03 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 10:38:48 16.03.2010 10:38:48 Block all other traffic
16.03.2010 10:39:03 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 10:38:48 16.03.2010 10:38:48 Block all other traffic
16.03.2010 10:39:03 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 10:38:48 16.03.2010 10:38:48 Block all other traffic
16.03.2010 07:42:04 Blocked 15 Incoming ETHERNET [type=0xF10] 0.0.0.0 14-03-04-75-23-9E 0 0.0.0.0 EB-17-7C-D1-0A-03 0 gwd SMNL Default 1 16.03.2010 07:41:02 16.03.2010 07:41:02 Block all other traffic
16.03.2010 07:42:04 Blocked 15 Incoming ETHERNET [type=0xEE0A] 0.0.0.0 04-42-28-F0-16-DF 0 0.0.0.0 DF-ED-0A-03-14-03 0 gwd SMNL Default 1 16.03.2010 07:41:02 16.03.2010 07:41:02 Block all other traffic
15.03.2010 17:45:26 Blocked 15 Incoming ETHERNET [type=0x666D] 0.0.0.0 10-73-71-72-69-67 0 0.0.0.0 6B-28-01-02-02-03 0 gwd SMNL Default 1 15.03.2010 17:45:15 15.03.2010 17:45:15 Block all other traffic
15.03.2010 15:04:42 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 15:04:31 15.03.2010 15:04:31 Block all other traffic
15.03.2010 15:04:42 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 15:04:31 15.03.2010 15:04:31 Block all other traffic
Just for testing
Add a blank rule and push it to the top. By default blank rule is allow all.
MR6
just try to migrate your client to SEP Latest package
or might be there some virus in your network, if your allow the all other traffic then your client will be on risk.
dont remove NTP from clients it will protect your machine over the network.
just check the firewall rule or Allow your block application ports only
and also exculde the block application server IP on IPS policy as well.
Would you like to reply?
Login or Register to post your comment.