Endpoint Protection

Hello Folks,

I'm facing a rather queer issue with the NTP component / signatures for SEP. It seem to be blocking traffic from my test systems to the site LinkedIn. If I switch NTP off, the site can be accessed properly.

I worked with a wireshark capture, and also tried analyzing the Traffic logs for SEP (NTP), but cant seem to figure out what the heck the issue is.

Anyone else face the same problem?

Hi Pradhan,

   I would suggest you try disabling the firewall policy on the SEPM and then activate NTP on the client that is having the problem.

If you still can not access the website then the problem might be with IPS.

If you can access it, then it's definitely one of your firewall rules that blocks it.
Make sure all rules are set to log matches to the traffic log.
Then enable the Firewall policy again. Try going to the website and then check traffic log.

If the firewall blocked some packets because they matched a rule, you will have an entry in the client's traffic log, the last column will contain the "guilty" rule (which you can then rethink)

If NTP is blocking, then I guess there has to be blocked log. could you please check in the logs?
This is would give an idea on the exception to be created

you should create a firewall policy to exclude the site from blocking

Put the client in Client mode or Unmanaged ...review the logs ...check which ecact policy is blocking the website then modify that policy.

Ok. Definately an issue with the Signatures for 30th July. I did a rollback to previous defs and its working now.....

Like they say, when the going gets weird, the weird turn pro.....hehe :D

Cheers and tks all for the inputs.