Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

SEP Client block traffic from SEPM

  • 1.  SEP Client block traffic from SEPM

    Posted Apr 13, 2016 04:25 PM

    Hi guys!

    A user has report some PC's that doesn't appear on the console but, according to the troubleshooting option, the client it is connected to SEPM. Looking in the client logs, I found that the client is blocking all traffic from the SEPM to the client because it's scanning UDP ports on the clients machine.

    I'm running a full scan in both, client and server, but at this moment hasn´t found anything.

    Hope anyone can help me.

    Greetings!



  • 2.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 04:26 PM

    Can you post the traffic log showing this?



  • 3.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 05:44 PM

    At this moment I don't have access to the clients, will post it as soon as I can get them.



  • 4.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 06:18 PM
      |   view attached

    This is the traffic log (the SEPM IP is 10.1.66.10):

    51030	13/04/2016 16:54:34	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56676	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:53:22	13/04/2016 16:53:31	bloquear web	
51031	13/04/2016 16:54:34	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56677	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:53:22	13/04/2016 16:53:31	bloquear web	
51032	13/04/2016 16:54:34	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	80	10.1.66.231	00-21-85-CF-14-B5	56678	C:\Windows\System32\svchost.exe	Servicio de red	NT AUTHORITY	Predet.	3	13/04/2016 16:53:23	13/04/2016 16:53:32	bloquear web	
51033	13/04/2016 16:54:40	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56679	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:53:27	13/04/2016 16:53:36	bloquear web	
51034	13/04/2016 16:54:40	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	60431		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:53:39	13/04/2016 16:53:39	Bloquear el tráfico restante de IP y registrar	
51035	13/04/2016 16:54:45	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56680	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:53:33	13/04/2016 16:53:42	bloquear web	
51036	13/04/2016 16:54:51	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56682	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:53:41	13/04/2016 16:53:50	bloquear web	
51037	13/04/2016 16:55:02	Bloqueado	5	Saliente	UDP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	60434	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:54:02	13/04/2016 16:54:02	bloquear web	
51038	13/04/2016 16:55:13	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56683	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:01	13/04/2016 16:54:10	bloquear web	
51039	13/04/2016 16:55:13	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56685	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:02	13/04/2016 16:54:11	bloquear web	
51040	13/04/2016 16:55:13	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56686	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:02	13/04/2016 16:54:11	bloquear web	
51041	13/04/2016 16:55:25	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56687	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:10	13/04/2016 16:54:19	bloquear web	
51042	13/04/2016 16:55:36	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	59015		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:54:35	13/04/2016 16:54:35	Bloquear el tráfico restante de IP y registrar	
51043	13/04/2016 16:55:42	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56688	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:31	13/04/2016 16:54:40	bloquear web	
51044	13/04/2016 16:55:42	Bloqueado	10	Entrante	UDP	FE80:0:0:0:704B:24B0:8B0D:F0D	C4-34-6B-5B-A2-A8	53365	FF02:0:0:0:0:0:0:C	33-33-00-00-00-0C	3702		karen.pimentel	SAGARPA	Predet.	2	13/04/2016 16:54:41	13/04/2016 16:54:41	Bloquear detección de servicios web	
51045	13/04/2016 16:55:53	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56690	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:40	13/04/2016 16:54:49	bloquear web	
51046	13/04/2016 16:55:58	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56692	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:44	13/04/2016 16:54:53	bloquear web	
51047	13/04/2016 16:55:58	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56693	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:54:44	13/04/2016 16:54:53	bloquear web	
51048	13/04/2016 16:56:15	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56694	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:55:02	13/04/2016 16:55:11	bloquear web	
51049	13/04/2016 16:56:15	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56695	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:55:02	13/04/2016 16:55:11	bloquear web	
51050	13/04/2016 16:56:21	Bloqueado	15	Saliente	ICMP [type=0x3, code=0x3]	10.1.66.10	00-21-85-CF-14-3A	3	10.1.66.231	00-21-85-CF-14-B5	3		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:55:16	13/04/2016 16:55:16	Bloquear el tráfico restante de IP y registrar	
51051	13/04/2016 16:56:49	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56699	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:55:34	13/04/2016 16:55:43	bloquear web	
51052	13/04/2016 16:56:49	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56701	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:55:35	13/04/2016 16:55:44	bloquear web	
51053	13/04/2016 16:57:11	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	56280		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:56:08	13/04/2016 16:56:08	Bloquear el tráfico restante de IP y registrar	
51054	13/04/2016 16:57:23	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56703	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:56:08	13/04/2016 16:56:17	bloquear web	
51055	13/04/2016 16:57:23	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56705	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:56:08	13/04/2016 16:56:17	bloquear web	
51056	13/04/2016 16:57:34	Bloqueado	5	Saliente	UDP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	53789	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:56:31	13/04/2016 16:56:31	bloquear web	
51057	13/04/2016 16:57:45	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56707	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:56:31	13/04/2016 16:56:40	bloquear web	
51058	13/04/2016 16:57:45	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56708	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:56:31	13/04/2016 16:56:40	bloquear web	
51059	13/04/2016 16:57:56	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56709	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:56:43	13/04/2016 16:56:52	bloquear web	
51060	13/04/2016 16:57:56	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56710	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:56:43	13/04/2016 16:56:52	bloquear web	
51061	13/04/2016 16:58:02	Bloqueado	5	Saliente	UDP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	53792	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:57:00	13/04/2016 16:57:00	bloquear web	
51062	13/04/2016 16:58:07	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	50677		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:57:04	13/04/2016 16:57:04	Bloquear el tráfico restante de IP y registrar	
51063	13/04/2016 16:58:13	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56711	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:57:00	13/04/2016 16:57:09	bloquear web	
51064	13/04/2016 16:58:13	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	443	10.1.66.231	00-21-85-CF-14-B5	56712	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	karen.pimentel	SAGARPA	Predet.	3	13/04/2016 16:57:01	13/04/2016 16:57:10	bloquear web	
51065	13/04/2016 16:58:46	Bloqueado	10	Entrante	UDP	FE80:0:0:0:704B:24B0:8B0D:F0D	C4-34-6B-5B-A2-A8	51203	FF02:0:0:0:0:0:0:C	33-33-00-00-00-0C	3702		karen.pimentel	SAGARPA	Predet.	4	13/04/2016 16:57:38	13/04/2016 16:57:42	Bloquear detección de servicios web	
51066	13/04/2016 16:58:46	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	51130		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:57:43	13/04/2016 16:57:43	Bloquear el tráfico restante de IP y registrar	
51067	13/04/2016 16:59:36	Bloqueado	5	Saliente	TCP	pki.google.com [216.58.218.206]	50-3D-E5-F4-9A-01	80	10.1.66.231	00-21-85-CF-14-B5	56717	C:\Windows\System32\svchost.exe	Servicio de red	NT AUTHORITY	Predet.	3	13/04/2016 16:58:44	13/04/2016 16:58:53	bloquear web	
51068	13/04/2016 16:59:36	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	56975		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:59:05	13/04/2016 16:59:05	Bloquear el tráfico restante de IP y registrar	
51069	13/04/2016 16:59:36	Bloqueado	10	Entrante	UDP	FE80:0:0:0:F1F5:99E4:88E9:74C4	40-A8-F0-5C-D6-28	52298	FF02:0:0:0:0:0:0:C	33-33-00-00-00-0C	1900		karen.pimentel	SAGARPA	Predet.	6	13/04/2016 16:59:21	13/04/2016 16:59:27	Bloquear la detección de UPnP	
51070	13/04/2016 17:00:25	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	52561		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 16:59:45	13/04/2016 16:59:45	Bloquear el tráfico restante de IP y registrar	
51071	13/04/2016 17:00:25	Bloqueado	15	Entrante	UDP	10.1.66.10	00-21-85-CF-14-3A	5355	10.1.66.231	00-21-85-CF-14-B5	50918		karen.pimentel	SAGARPA	Predet.	1	13/04/2016 17:00:22	13/04/2016 17:00:22	Bloquear el tráfico restante de IP y registrar

    I attach the .log file from Traffic Log and Security Log.

    Attachment(s)

    zip
    traffic_log.zip   30 KB 1 version


  • 5.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 06:29 PM

    SEPM/clients talk over tcp 8014. I see some UDP and ICMP traffic blocked but not that specific protocol/port. Do you have active response on? This happen when the SEP firewall detects port scans and will block if active response is on



  • 6.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 06:42 PM

    Yes, active response is on. But this is related to the fact that the clients disappear from the SEPM?.. That's the main problem and the traffic block is the only strange thig I could find.



  • 7.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 06:51 PM

    That may be a different issue. I believe it is some built-in rule but SEPM/client communication cannot be blocked even if you add a firewall rule in SEPM.

    If they are disappearing and re-appearing then there is something else going on. Are these cloned machines?



  • 8.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 11:08 PM
    Yes, the use cloned machines.


  • 9.  RE: SEP Client block traffic from SEPM
    Best Answer

    Posted Apr 13, 2016 11:12 PM

    Could be duplicate HWID, try this:

    Repair duplicate IDs on cloned Endpoint Protection 12.1 clients

     

    Are you following best practice as well?

     

    How to prepare a Symantec Endpoint Protection 12.1.x client for cloning



  • 10.  RE: SEP Client block traffic from SEPM

    Posted Apr 13, 2016 11:54 PM
    Thank you very much for the links. I was not aware of the process of cloning so I'm not sure if it was done correctly. Tomorrow I'll talk to the user and try the solution you mention.


  • 11.  RE: SEP Client block traffic from SEPM

    Posted Apr 14, 2016 07:04 AM

    Sounds good. Let me know if you need further assistance.



  • 12.  RE: SEP Client block traffic from SEPM

    Posted Apr 18, 2016 11:53 AM

    Perfect!... That was the problem, we repaired some clients and they connect to the console without problems...

    Thank yoy very much!



  • 13.  RE: SEP Client block traffic from SEPM

    Posted Apr 18, 2016 11:55 AM

    You're welcome. I'm glad it's fixed.