Dears, 

This is a urgnet case, hope get your help ASAP.

in our company, we installed sep 12 recently with location awareness enabled, these days more and more pc can't access internet and other traffice, and i try to disable the firewall component, then everything goes well again, so the problem comes from the firewall policy. i export my firewall setting and attached here, please help to check where the problem is. 

i check the traffice log, it's the last policy rule block the traffic: Black all other IP traffic and log.

the pc works well yesterday, and today can't access the internet, and i did't do anything from SEPM, and i am afraid will be more and more pc will get effect, so please help, thanks

Attachment(s)

Firewall policy for Office-Ethernet.zip   14 KB 1 version

Guies, Any help will be appreciated.

Check your Traffic log and allow whichever port(s) are being blocked.

Have you allowed the necessary port that is being blocked?

and i try to unselect the last 3 options, and update the policy from sep client, it still doesn't work.

Dear _Brian,

i did, but it seems doesn't work.

do you know where i can verify the setting from pc client ?

Firewall rules won't show if the client is in server mode.

Did you verify the serial number on the client matches that in the SEPM?

Dear _Brian,

yes, the policy serial number matchs with that in SEPM.

At first beginning, there was a error show in user's sep client, i am not sure if this has anything with the problem, but i already fix the error, the pc still can't access anything.

How many system having problem ?Does issue are occured only specify sep client group.

Did you try to Withdrawing Firewall policy ? If after Withdraw Policy so we can identify issue.

Withdrawing or disabling a Symantec Endpoint Protection Firewall policy does not disable Network Threat Protection

Hi aqqle,

What is the error upon accessing the internet of the affected clients?? Do you have the screenshots? What is the exact version of your SEPM and SEP clients??

Regards,

JM

Dear James007,

currently, no more than 10 PCs having problem, but i am not sure if the nubmer will be extend. and the issue occured on differents groups.

i tried to withdrawing the firewall policy, then everything goes well, because no other firewall policy apply to the groups.

thanks

there is no error, but have logs in sep client. i have attached.

version of sepm and sep: 12.1.4013.4013

Attachment(s)

log_1.xlsx   8 KB 1 version

Have you try to disable first the SEP client (smc -stop), then try to access again the internet?? Did the affected computer still can't access the internet??

then what is this IP based on your logs>> 10.218.2.63 & 10.218.2.178

Regards,

JM

disable sep client works, but this doesn't resolve my problem.

the detail log i have attached

Attachment(s)

log_2.xlsx   126 KB 1 version

Try to create new firewall rulle allow all traffic

How to create an Allow All rule for a managed SEP client:

Note:Before creating the Allow All rule in the SEPM,it is recommended that the client be moved into a client-group by itself so that the following test affects no other machines. Clients may be moved by right-clicking them and clicking Move.

1. Login to the Symantec Endpoint Protection Manager (SEPM)
2. Click Clients and select the client-group which contains the affected client computer
3. Click the Policies tab
4. Click the Firewall policy for this client-group to open it for editing
5. Click Rules
6. Click Add Rule...
7. Name the rule: Allow All Test
8. Click the radial button next to Allow connections and click Next
9. Click the radial button next to Allow Applications and click Next
10. Click the radial button next to Any computer or site and click Next
11. Click the radial button next to All types of communication (all protocols and ports, local and remote) and click Next
12. Click the radial button next to No and click Finish. The rule is now created. If the rule is not at the top of the list, select it and click Move Up until it is at the very top of the firewall rules list
13. Click OK

http://www.symantec.com/business/support/index?page=content&id=TECH203497

disabling of SEP client is only part of my troubleshooting to justify that the SEP client is causing the issue..
 

Since you mentioned you have location awareness enabled, how many location do you have?? What location and policies applied on the SEP client affected??

Regards,

JM

Dear James007,

thanks, if i create a rule to allow everything on top, it works. but still not find the root cause. 

Some rules are blocked Internal traffic,I suggest you can raised support ticket and received root cause.

Dear,

we have 3 locations defined, and we have different firewall policy apply to the locations. for the location have porblem, i only create a rule to block wireless traffic on top of the policy, and the rest is default.

but from the log, it's the last rule block the traffice.

Dear James007,

thanks for your advice, if no one can resolve my problem i will raise ticket for support.

thanks again.

Does Below IP are your proxy address ?

when your client accessing the internet, are they using proxy server??

yes, we using proxy, the address is 10.218.0.97

Dear James007,

no, these IP are our old DNS.

the proxy address is 10.218.0.97

Try to Add your Proxy address (10.218.0.97) in your firewall rule. Just follow the steps provided by James007, then in Select the Hosts, select Only the computers and Sites listed Below:, then click Add..

Also, add the IP range of your network addresses..

Dear,

Yes, this is one of the solution. but i really want to find out the root cause.

Proper root cause will be provide Symantec support for check your SEPM logs.

Have you verified that there are no Intrusion Prevention detections on these 10 computers?

IPS can be configured to block the IPS source for x number of minutes. If you use Proxy servers and the user visits a website that triggers IPS, SEP will block access to your proxy servers as the proxy ip is seen as the host

Torb

Dear TORB,

i tried to disable IPS, but still same.

i think the problem comes from firewall policy, i have raised ticket to symantec, and i will update all of you if there is any finding, thanks

Hi aqqle,

What did the Symantec Suppot found on this issue? Any update regarding your issue? Thank you..

I meet the same problem. I just changed default setting  from "allow only application traffic" to "allow ip traffic" to temporary solution this issue.