Endpoint Protection

 View Only

  • 1.  SEP 12.1 Firewall Rules

    Posted Feb 20, 2012 09:39 AM

    Trying to tune my firewall rules, to allow specific traffic on an adapter.

    I just recently installed 12.1 and am only running the default rules at the moment.  I am trying to determine if there is a way to tune for an adapter that is simply a sniffing adapter, collecting data from a span port on one of my switches.  The data is simply a mirror of the actual traffic, so the data appears from various clients and various ports, so I am not sure if any specific rule can really tune for this data or do I just have to completely ignore this network adapter and allow all traffic that is sent across it.

     

    Any advice is welcome.



  • 2.  RE: SEP 12.1 Firewall Rules

    Posted Feb 20, 2012 10:38 AM

    http://www.symantec.com/business/support/index?page=content&id=TECH104433

    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/d28e5621b64d9ddb88257543007672ff?OpenDocument



  • 3.  RE: SEP 12.1 Firewall Rules

    Posted Feb 20, 2012 11:40 AM

    I have gotten a bit more information now as to how this is working and what is not working.

     

    It is my understanding that the adapter in the server is actually the one to make the connection.  It connect to the span port and reads the data.  No data is actually sent through this system, but instead the information read is used to monitor traffic, plot usage and such.  

    It would be like using a voice recorder in a crowded of people but not saying anything...just listening/reading/collecting.

    With that said, the tools are no longer able to read/use any of the data, it is as though there is no data...but there is, I simply cannot get to it any more.



  • 4.  RE: SEP 12.1 Firewall Rules

    Posted Feb 20, 2012 02:24 PM

    Is there and easy way to creat a rule to allow the 169.254/16 block of IP addresses to just be allowed?  This would cover all spanning ports and the addresses in this range are not routable, so it should technically fix my issue if I can corrrectly create the rule.

     

       RFC 5735 (http://tools.ietf.org/html/rfc5735) and RFC 3927 (http://tools.ietf.org/html/rfc3927). 



  • 5.  RE: SEP 12.1 Firewall Rules

    Posted Feb 20, 2012 03:52 PM

    Check solution in link below might help

    https://www-secure.symantec.com/connect/forums/endpoint-protection-blocks-ip-my-router#comment-5493251

     

    Note try in test lab first .



  • 6.  RE: SEP 12.1 Firewall Rules

    Posted Feb 21, 2012 12:18 AM
      |   view attached

    Hi Smakovits,

    Refet the attachment for creating firewall Rules.

    Attachment(s)

    docx
    SEP Firewall_0.docx   545 KB 1 version


  • 7.  RE: SEP 12.1 Firewall Rules

    Trusted Advisor
    Posted Apr 24, 2012 07:28 AM
      |   view attached

     

    Hello,

    Here are the Articles which would explain, more on the default Firewall rules in SEP 12.1

    About firewall rules

    http://www.symantec.com/docs/HOWTO55261

    Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

    http://www.symantec.com/docs/TECH180569

    Default Symantec Endpoint Protection 12.1 RU1 Firewall Rules explanation:

    Please check the attached file: Default_FW_Rules.xls

    Hope that helps!!

    Attachment(s)

    xls
    Default_FW_Rules_1.xls   31 KB 1 version


  • 8.  RE: SEP 12.1 Firewall Rules

    Posted Apr 26, 2012 10:26 AM

    In the end I just created a new policy with the block all rule disabled and applied this to only the specific machines that are monitoring a SPAN port.