Endpoint Protection

Hi,

We have SEPM 11.0.5 running with over 10.000 clients. Some of these clients are running SEP 11.0.5, other 11.0.7 and other v12.1.

Until recently, we have had not problem with any provider of mobile data cards in the world. The traffic being generated by them was not being blocked. But recently, some of our users in India have had problems with some newly purchased mobile 3G data cards, as their traffic is being blocked by SEP Network Threat Protection firewall component.

The problem I have is that, in the firewall log, the ETHERNET header is always different (sometimes it's 0xAAe, others it´s 0xA0B, others it's 0xA82, etc). So I can't create a policy based on the Ethernet header.

Can anyone suggest any other way of doing it?

Thanks!

HI,

check NTP logs.....and find out wich rule of firewall bloacking IT

Did you received any error Msg ?

Hi Ashish,

Yes, this is the first thing I did. The rule blocking the traffic is the general one: "Block all other traffic".

Is it trying to use a specific port?

Again, the port is also constantly changing: 2690, 2571, 2695, 19069, 41516, 49909, 52170, ...

I must say that the most repeated one is 2571. Information on this port is not relevant, it can be used by malware, but also by protocol CECSVC.

Can you dump the log into excel and post here? Just a few lines should do it so we can see the exact coding.

Sure, here it is. Just a few lines, as an example.

Attachment(s)

NTPLog.xlsx   10 KB 1 version

See what happens when you create a policy based on Ethernet but leave the protocol type blank

I will try that, but... is that advisable really? Won't that allow ALL ethernet traffic?

That would be up to you. Easiest way is create the Ethernet policy but it sounds like you have multiple people using these cards so that will be a nightmare.

You could move these users into a custom group and apply the policy allowing this traffic only to them.

Yeah, that's what I figured I would do too. I have created the policy, but I won't be able to test it until tomorrow. Thanks for the help, I will tell you tomorrow how it goes.

Why don't you use application triggers in your firewall rules? As you have said, the ports a constantly changing, but I believe, that you have a limited number of applications that should be allowed to use these ports.

You can read about the application triggers in SEP Admin guide (please, see page 472). Please, look at the following article too: http://www.symantec.com/business/support/index?page=content&id=HOWTO81237#v10221886

Hi,

I tested that and it worked as a workaround. I created a specific group and move the machines that needed to use that 3g data card in there. This is just temporary until I can figure out exactly what policy works for this specific device.

Thanks for your help Brian. Appreciated. I don't mark this as solved because this is just a workaround.

Thanks for the suggestion, but I don't think using application triggers for allowing traffic is really an option. I know about them and use them to block traffic from and to specific applications, but allowing traffic is too wide. I have no idea what these specific users will need to do (browse internet, ftp, whatever...).

For those following this thread: