After a company-wide upgrade to Windows 7 and SEP 12.1, all of a sudden our firewall device was being overwhelmed with too many open connections -- at times a single workstation would have close to 200 outbound HTTP connections open, and there would be close to 100 DNS connections being forwarded from our internal DNS servers. Sometimes there are 8 or 9 connections between the same two endpoints.
It appears that connections are opened, a little data is transmitted, and then they go idle, and a few seconds later another connection is opened but the idle ones aren't closed.
The vendor's technical support rightly pointed out the vast number of different DNS and HTTP connections that might result from a visit to a single site such as Facebook. Their solution was to crank down on timeout values, which we've done, something that has its own ramifications.
But I'm wondering: These connections are being initiated by internal worksations and it's up to the client to send a FIN packet to indicate a connection should be closed.
In the context of Symantec Endpoint Protection, is there a possibility that Nework Threat Protection or Proactive Threat Protection is eating the FIN packets and keeping the firewall from closing connections?