Endpoint Protection

After upgrading to SEP 12.1, I'm getting a lot of ETHERNET [type=0x806] entries being logged in my firewall logs.

I even tried creating a new FW rule that said allow these ethernet entries and don't log them, but they are still being created.

(Verified that the new FW policy is in effect on the clients)

This is being logged by the "Block all other traffic" rule.

Anyone else seeing this?

Thanks

EDIT: "Enable anti-MAC spoofing" is not enabled.aa

What log, traffic or packet?

Traffic.

It's mostly from the router/gateway. Occassionally from other machines on the LAN too.

Block all other traffic is the last rule, so its not getting applied

can u try creating this frm the user interface of the client?

It sounds like it is getting applied?

If I look in my logs, I see the rule being and applied (and blocking) although I'm not seeing the specific message mentioned in this post.

How can you verify that a rule is being specifially applied? Other than comparing policy serial numbers, is there a way to see if a specific rule is being applied?

0x806 is ARP traffic.

I can verify that these entries were not being logged in SEP 11. In fact I have machines still on SEP11 (12 and 11 have the same policy).

I'm just going by the "Action" column, which in my logs says "Blocked" so that is my assumption.

I ment to say that blocked all rule is the last rule in the rule list, so if you have already applied a policy to allow ethernet traffic, its not working, coz the last rule is still blocking it.

But would the log still show the Action as Blocked?

It would make sense that if the allow rule was already applied than this rule should never be triggered, therefore not shown in the logs.

Like I said earlier, I created a rule just to allow ARP entries so the FW log won't get so full. It doesn't seem to help, or is not being applied.

I can't be the only one seeing this? or is there something unique about my network ???

I'm not seeing that specific traffic but seeing other traffic that I'm questioning.

That rule looks fine so I don't know why it is showing up in your log.

I was using the existing FW policies from SEPM 11,  Had to create a new policy to get rid of this.

I have the same problem with the 0x806 log.

I just created a rules at 1st position, allowing the traffic on 0x806 ethernet, with Source "Local network" and Destination "Local network", but it does not help. I tried with IP range, but it does not help also. But in the log, the local and remote is my local network.

the only way to make it works, is to allow the trafic on any local, remote.... but I think this is not so secure...

Any idea ?

Hi,

Just saw this behavior yesterday, iwas testing sep 11.x rules to sep 12.1...

You don't have to recreate rules in 12.1 "style".

In fact, in 12.1 "default" policy, look at the 2 last rules in the policy :

BLOCK ALL IP TRAFFIC : LOG (the IP Protocol is matching ...)

BLOCK ALL OTHER TRAFFIC : NO LOG

In 11.x you don't have these 2 rules that log IP traffic which is blocked, and then block but don't log other trafic (like ethernet) ; you only have 1 rule like your screen shot, block all trafic and log.

It explains why you were seeing these entries...

So migrate your 11.x rules and modify the last 2 rules in that way...

EDIT : don't add IP/network range matching in your rules since ARP is using Ethernet MAC adress... and select "all interfaces" ; the same is happening when filtering Multicast address, "ethernet adapter" only would not work...

Cheers !

LL