Hey all,

Looking for a best practice, guideline, or "how you did it" in terms of the Network Threat Protection as part of SEP. The problem is we have hosts behind load balancers and when scanners or legit attacks get detected/blocked they are reported as coming from the Load Balancer(s).

Will X-Forward help this situation? Are there other things we can do to get the true source?

Thanks!

 

 

 

These might shed some light. I prefer putting NTP on all clients machines except few critical server's such as my db server's. http://www.symantec.com/business/support/index?page=content&id=TECH116730&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1413822152809ClTM5MD36M29BKU5YwZSha7HdMZPED3Iiz76F

It may be a limitation in SEP. Is this similar to a proxy setup? I know SEP is not proxy aware so it will block the proxy instead of the true site.

it dont know about the source

Adding few more for your reference.

 

Usage of Location Awareness and Network Threat Protection with SEP 11 and SEP 12.1

http://www.symantec.com/business/support/index?page=content&id=TECH195231

 

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations

http://www.symantec.com/business/support/index?page=content&id=TECH90936

About Network Threat Protection reports and logs

http://www.symantec.com/business/support/index?page=content&id=TECH95542

Hello,

Did you find any solution for the problem, SEP is ignoring the XFF

Thanks
Original Message:
Sent: Oct 20, 2014 12:18 PM
From: Migration User
Subject: Symantec SEP - Network Threat Protection - strategy for load balancers

Hey all,

Looking for a best practice, guideline, or "how you did it" in terms of the Network Threat Protection as part of SEP. The problem is we have hosts behind load balancers and when scanners or legit attacks get detected/blocked they are reported as coming from the Load Balancer(s).

Will X-Forward help this situation? Are there other things we can do to get the true source?

Thanks!