Endpoint Protection

 View Only

  • 1.  network threat protecton blocking on server- what and why?

    Posted Aug 23, 2011 04:36 PM

    windows 2003 file server, it is our WSUS server, and our symantec endpoint server, running managment 12.1

    have 12.1 client installed, today noticed popups about network threat protection, saw it was blocking traffic from various PCs, but when I look at the network threat protection logs it doesnt tell me why!

    how do I find out what is going on?

     

    here are a few samples, where 192.168.xx.x is our endpoint server.

    216569    8/23/2011 2:15:12 PM    Blocked    15    Outgoing    ETHERNET [type=0x806]    192.168.zz.40    00-0B-6B-B3-94-43    0    192.168.xx.x    00-1C-23-D0-8E-1E    2054                Default    1    8/23/2011 2:14:11 PM    8/23/2011 2:14:11 PM    Block all other traffic    
    216570    8/23/2011 2:15:22 PM    Blocked    15    Outgoing    ETHERNET [type=0x806]    192.168.zz.51    00-0B-6B-B3-84-43    0    192.168.xx.x    00-1C-23-D0-8E-1E    2054                Default    1    8/23/2011 2:14:21 PM    8/23/2011 2:14:21 PM    Block all other traffic    
    216571    8/23/2011 2:15:27 PM    Blocked    15    Outgoing    ETHERNET [type=0x806]    192.168.zz.61    N/A    0    192.168.xx.x    00-1C-23-D0-8E-1E    2054



  • 2.  RE: network threat protecton blocking on server- what and why?

    Posted Aug 23, 2011 05:10 PM

    The Network Threat Protection feature will integrate a driver "Teefer" into the Network Adapter to do a packet scanning what ever packets which is coming in and going out from the server will be scanned so there are possiblities of droping the packets during the scan. Since it is  file transfer large amount of data will be transfered, due to the heavy traffic to the server some of the Ip's might have been blocked.

    On the File server we dont suggest to install SEP with NTP

    Please find the related documents below !!

    Best Practices for Installing Symantec Endpoint Protection on Windows Servers
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021811070448

    Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

    About Windows Firewall and Symantec Endpoint Protection's NTP
    http://www.symantec.com/docs/TECH97986

    About Network Threat Protection reports and logs
    http://www.symantec.com/docs/TECH95542

     


     

     



  • 3.  RE: network threat protecton blocking on server- what and why?

    Posted Aug 23, 2011 05:39 PM

    Hello James T Kirk Junior,

    You can see the rule which is causing the traffic to be blocked/allowed in the right-most column of the traffic log. In your log snippet, the rule name is "Block all othe traffic".

    The traffic is being blocked because it meets the criteria specified by your "Block all other traffic" rule.

    This may be one of the built-in rules in your SEPM. You can examine your Firewall policy to find out.

    James



  • 4.  RE: network threat protecton blocking on server- what and why?

    Posted Aug 23, 2011 06:20 PM

    Our servers only get Antivirus, we don't load the other SEP components.