Endpoint Protection

 View Only

  • 1.  what firewall rule is THIS?

    Posted Oct 16, 2009 08:41 AM
    The logs this AM are filled with entries regarding a test notebook I'm messing with. I setup a group where the firewall would be off...... and instead, I get this!
    Check out that rule name!

    Event Type: UDP datagram
    Event Time: 10/16/2009 07:29:54
    Domain Name: IVRS-SEP1
    Site Name: IVRS-SEP01
    Server Name: VRDSMSEP2
    Group Name: My Company\testing-2-nofirewall
    Computer Name  
    Current: VR999
    When event occurred: VR99
     
    IP Address  
    Current: 111.222.180.120
    When event occurred: 122.222.180.255
     
    Severity: Minor
    Remote Host Name:  
    Remote Host IP: 111.222.180.100
    Network Protocol: UDP
    Local Port: 138
    Remote Port: 138
    Traffic Direction: Inbound
    Occurrence: 1
    Begin Time: 10/16/2009 07:28:52
    End Time: 10/16/2009 07:28:52
    Application Name: C:/WINDOWS/system32/ntoskrnl.exe
    Blocked: Not blocked
    Rule Name: GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
    Alert: 0
    Location Name: Default
    User Name: Bill.
    Domain Name: IVRS-SEP1
     


  • 2.  RE: what firewall rule is THIS?

    Posted Oct 16, 2009 08:57 AM
    The rule is to allow UDP.

    As far as  I know which I read from the Help file.

    For stateful UDP traffic, when a UDP connection is made, the inbound UDP communication is allowed(same as in your log) even if the firewall rule blocks it. For example, if a rule blocks inbound UDP communications for a specific application, but you choose to allow an outbound UDP datagram, all inbound UDP communications are allowed for the current application session. For stateless UDP, you must create a firewall rule to allow the inbound UDP communication response.

    A UDP session times out after 40 seconds if the application closes the port.

     



  • 3.  RE: what firewall rule is THIS?

    Posted Oct 16, 2009 09:03 AM
    HI,

    As you mentioned that the client installed on the machine should not have NTP installed. So, you just confirm that the driver teefer2 des not appear in the properties of the network card. Also, if a rule is being applied, it could be the "Allow All other IP traffic".

    You can check if you can find the rule no. in the logs so that would be a self-explainatory way to determine the exact conditions being applied to the traffic.

    If possible, you can withdraw the firewall policy from that group. You can do so by going to Clients->Policy-> Click on Tasks at extreme right in front of firewall policy-> click on withdraw policy.

    Best,
    Aniket


  • 4.  RE: what firewall rule is THIS?

    Posted Oct 16, 2009 09:05 AM
    I do not see this on any other computer, however, and my main work notebook is in the same group, using the same policies and rules.
    This is the line that REALLY has me - look closely at the name of the rule.....
    Rule Name: GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
    GUI ?
    NBENABLEYOU ?
    GUICONFIG ?

    Actually, NTP is installed, the config just allows it to be "turned off" or disabled by the client, or end user, and the rules are lax when it's enabled.


  • 5.  RE: what firewall rule is THIS?
    Best Answer

    Posted Oct 16, 2009 09:23 AM
    This rule is client-side.

    On unmanaged clients (or clients in mixed mode or client control), in Network Threat Protection, click Options, then Change Settings.
    In Settings, click Microsoft Windows Networking.
    Here, if you check the box for Browse files and printers on the network, the GUI rule you're seeing is enabled, thus allowing this traffic.

    On managed clients this is enabled by default, with the understanding that Administrators can create a rule that will block this access in the firewall policy, if so desired.


  • 6.  RE: what firewall rule is THIS?

    Posted Oct 16, 2009 09:27 AM

    The once which are created automatically during installation have that format these the filenames allowed by default.

    GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
    PASS
    / 1
    17
    FileName
    Version
    FileSize
    Description
    MD5sum
    Date
    Misc
    NTOSKRNL.EXE
     
     
     
     
     
     
    kernel32.dll
     
     
     
     
     
     
    MPREXE.EXE
     
     
     
     
     
     
    NWLINK.VXD
     
     
     
     
     
     
    *
     
     
     
     
     
    Type: WINAPP,

    It can be broke down into

    GUI-

    GUI Configuration

    Source Rule

    Enabled

    You are allowing UDP on port number 138 ( ntoskrnl.exe)





  • 7.  RE: what firewall rule is THIS?

    Posted Oct 16, 2009 09:28 AM
    Ah, so the NB is network browsing, then ENABLE Not sure what the YOU is.......
    That explains it mostly - not sure why I don't see this on the other computer in the same group........... but at least now I know it's nothing that is from a source outside of the known world.
    Thanks.


  • 8.  RE: what firewall rule is THIS?

    Posted Oct 16, 2009 09:32 AM
    I agree, it seems like NB would stand for network browsing...and maybe in this case it does.  However, as an example, there's a default block called @NBBLOCK, where NB stands for NetBIOS.  So, I wouldn't automatically attach NB to mean network browsing.

    ...although, in my personal opinion...you'd think we'd make the names of the rules a little more obvious or understandable.


  • 9.  RE: what firewall rule is THIS?

    Posted Oct 16, 2009 09:37 AM
    My be its NetBIOs

    Indicating that YOU are allowing NetBIOS UDP in and OUT on port 138?