Endpoint Protection

 View Only
  • 1.  Stateful inspection and UDP in 12.1

    Posted Aug 25, 2012 10:42 AM

    Hi,

    in SEP 11, you could choose between stateful and stateless UDP traffic in firewall rules (while TCP traffic was always stateful).

    However, in 12.1 the possibility to choose is gone, and "stateful udp" isn't mentioned in documentations anymore (e.g., see How the firewall uses stateful inspection).

    Just out of curiosity: How does the firewall work now?



  • 2.  RE: Stateful inspection and UDP in 12.1



  • 3.  RE: Stateful inspection and UDP in 12.1

    Broadcom Employee
    Posted Aug 25, 2012 11:05 AM

    check the implementation guide (pg 365)

    The firewall also uses stateful inspection of all network traffic.

    When you define TCP-based or UDP-based service triggers, you identify the ports on both sides of the described network connection. Traditionally, ports are referred to as being either the source or the destination of a network connection.

     

    in teh firewall rule, from the services column, select the protocol dropdown you can select UDP>

     



  • 4.  RE: Stateful inspection and UDP in 12.1

    Posted Aug 25, 2012 11:50 AM

    But why did Symantec remove the Stateful UDP option in 12.1? Does it work automatically now?

    For clarification, here are two screenshots of (german) SEPMs:

    SEP 11.0

    SEP 12.1

     



  • 5.  RE: Stateful inspection and UDP in 12.1
    Best Answer

    Broadcom Employee
    Posted Aug 25, 2012 12:10 PM

    yes in SEP 12.1 stateful is enabled by default.

    Stateful inspection does not support the rules that filter ICMP traffic. For ICMP traffic, you must create the rules that permit the traffic in both directions. For example, for the clients to use the ping command and receive replies, you must create a rule that permits ICMP traffic in both directions.