Endpoint Protection

Hi everyone,

I could use some assistance configuring a handful of ports on my network.

I am interested in blocking Bearshare, Limewire, and Kazaa/Morpheus.

They run on the following:

TCP and UDP     6346-6347
TCP and UDP     1214
UDP                      62480


I am looking at the Firewall Policy Rule settings of the Service List now.

I see a Protocol Option, for either TCP or UDP, but I do not see an option for Both. Do I have to create a rule for TCP, then make an identical rule with the different protocol?

And for the next step, I select Local/Remote, and set the REMOTE port to be the ports I want to block above right? This is because my local client will connect to that remote port? Does the application connect to me on that same port? If so, do I set the local port to be that same one as well?


Thanks for your support!!

See Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

Thanks Cycletech, it was an informative read, and I did read all of it, but not once does it mention Source/Destination vs Local Remote, Setting TCP and UDP in one rule as opposed to two identical rules with a different protocol, or provide me with other useful information that can ultimately lead me to solving the issues and questions stated in my first post.

Still giving your post a "thumbs up" so that others may read.

It is possible to setup TCP and UDP on multiple different ports with one firewall rule.

First make a rule with only one port, UDP or TCP, doesnt matter.

Then double click on the "Service" field in the rule you have created.

Here you can add additional ports/protocols that will be blocked by that rule.



RE: the local/remote question.

These P2P sharing applications will open ports listed by default, so other machines that they connect to ought to be using the same port for incoming connections as well...but I'm not 100% on that. 

If it were my environment to run I would use a firewall rule that blocks an application, rather than specific ports that other legitimate software may need.

Or even use Application and Device control to ensure that those executables cannot even run, let alone communicate outside the box.

Regarding Source/Destination and Local/Remote, these are simply ways of defining hosts within the rules. They allow for hosts to be defined in multiple ways, but in essence, perform the same task.

Thanks both of you for the replies:

I have added to the policy rules for Blocking popular P2P programs, as well as set the policy to allow VNC connections to take place.

1) Can you please confirm that I have set these 2 mentioned above properly? (Source/Destinations, Protocols)




2) The policy I edited is already assigned to a particular group. Do I have to do anything after editing the policy, such as clicking "Assign the Policy" again, or will it be active immediately after hitting OK in the "Add a rule" menu?

Once again, thanks so much for the support.

Waited 24 hours. Bump ! Still need some confirmation/assistance on whether I set up these rules properly to open up the ports on my network.

Your FW rules look like they should work. You should always test any policy in a test environment before applying to your production network. When clicking "OK" the rules will automatically apply if that FW was previously assigned to the group.

Thomas

Thanks Cycletech. Your reply leads into my next question regarding SEP Manager Console. When I try to edit policies and assign them, I seem to be only able to select Global, which will then apply the policy to each child group of global (all of them). I am not able to apply a new firewall policy to only one test group out of many groups. As a picture speaks 1000 words: As you'll see, I am only able to assign the policy to the Global group (including ALL other groups), or Default by itserlf. I am not able to assign the policy to any child group of Global by itself. [EDIT] I also told the policy to write to the traffic log in the event that such rule happens. Where IS this traffic log so I can see if it is logging VNC activity?

In order to assign a policy to a specific group you must first turn off "Policy Inheritance" for that group.

To accomplish this please follow these steps:

In the SEPM
Select the Clients button
Select the Policies tab in the right pane
Select the group in which you wish to disable Policy Inheritance for
Uncheck "Inherit policies and settings from parent group "XXXXXX"

You should now be able to assign your policy to this particular group without having to assign it to them all.

Hope that helps!

Fantastic instructions. Very easily changed the settings to what I needed them set to. As for this mysterious "traffic log" which firewall rules should be writing to when they go off? **There is no "Traffic Log" in Monitors > Logs

You were very close:

Monitors->Logs->Log Type: Network Threat Protection->Log Content: Traffic

Then just set an appropriate time range and you're all set. You can click the "Advanced Settings" hyperlink for more filtering options as well.

Hope that helps!

Hmm, I was gonna mark this topic as solved, but not yet! Someone in my office has been using VNC all day, and not once has the firewall logged in the traffic log that VNC is being used on port 5800 or 5900. Please refer to the first image I have posted in this topic, where you will see that VNC is set as a firewall rule, allowed, and set to log (traffic log). This firewall policy has been assigned to the group this employee's machine is currently in. His machine also has a green icon, showing he is currently being monitored. Why is the firewall not logging?

Actually,  the rule shows "None" for logging on rule 15 (Allow VNC). Change that rule to "write" then you will see logs for VNC traffic.

Thomas

I take back what I said, problem NOT solved. In the photo I had it still set to None for logging, but immediately after that I changed it to Write to Traffic Log. I have plenty of entries for VNC in the Traffic Log from over a week ago, 6500 in fact, but they are all default entries for blocking the VNC traffic in the inbound direction. Since I have added a rule to ALLOW VNC, and told it to Write to the Traffic Log whenever someone uses VNC ( as a test ), no entries have been logged. Not sure why.

Is it possible that some other rule is permitting the VNC traffic?   One way to test this (if you can get away with it) is to disable rule #15 (set it to block) and have the user try again.  If VNC still works then you know that another rule is permitting the traffic and thats why its not getting logged.

so you are saying because 2 or more rules might possibly be allowing VNC, the first rule, with no logging assigned, is the one controlling VNC permissions and is overwriting rule 15 which requires logging? I would think you are correct in this assumption, but I have traffic logs in my manager client from last week letting me know that inbound traffic was being blocked by symantec endpoint protection when one of our users was using VNC. Because of this, I do not think any other rule is allowing VNC connections to be made. Still no logging in the Traffic logs!

Set rule 15 to block, then test VNC. If it fails then we know that rule 15 works at planned.  We will need to then troubleshoot the logging issue.

Thomas

Hi everyone,

still no success here. I have moved around and changed the policy to different configurations, including specifying the exact file we want to allow.

To recap, we are testing to make sure the firewall rules are configured properly, by blocking VNC on the network. Once we confirm that VNC is blocked, we will change it to allow. Again, this is for testing only. It is much easier to allow all programs and block VNC, than to block all programs and allow VNC.

Here is an image of our current settings:

Can you spot the error?

VNC is currently usable for all managed clients

 The Source port will be the standard but the Destination port will be dynamic..anything that will be available by the computer at that moment above the standard ones (0-1023).
So for the Destination port give any i.e. leave it blank.

Edited the destination port to be dynamic (left blank), applied, and then reassigned the policy to the target computer groups. I have confirmed on a managed client machine in his system logs that he has received the updated policy. VNC is still usable. We are now completely stumped as to how to properly configure the firewall. We have even told it specifically that the application in question is winvnc4.exe. As a reminder, we are using VNC to test firewall rules. We will not actually be blocking VNC, as we use it constantly in the office.

The client is it in Client Control or Server Control ? Make sure it is in server Control.

Test it ..update policy and all that..if it still fails
Put the client in Client Control....update policy and all that...
then run WinVnc ...check what traffic log it generates..then we can configure more exact rule..

How do I put something in server control from client control? What IS client control? The client I am talking about right now, the one we are testing), is currently being managed by the SERVER, as in, in "Clients", that machine shows up with a green dot, meaning he is currently under the control of the server. The policy HAS been updated, and the traffic log is not being written to when VNC is run. For some reason, it is like the firewall is ignoring the policy completely. I've been stuck on this almost 7 days now.

I think, if memory serves correctly, that 15-informative for a rule does nothing.  Such as it suggests.  I am pretty confident I read this before in these forums, posted by Paul M. in a forum query, possibly from Shadowspapa....

I would have to find and dig up the thread, but it was a while ago.  Maybe 6 months...  I will see if I can dig it up.

Is VNC being blocked currently?  Now that you have set the rule to block it?

 In SEPM - Clients- hightlight the group click on Policy on the right hand Side--
On the bottom below all the policies you will see a "+" Location Specific Settings
When you expand it...first one will be the Control mode ( default is server control )

I guess you have tested all the policies in Server Control since every thing was default.
Change the Server Control to Client Control ( all the logs can viewed in real time in Client Control )
But the Firewall Policies applied by SEPm are ovwerwritten by the local Policies..
So just for Troubleshooting purpose..
Change it to client mode..

Once policy is update
Open the NTP Logs-Check the time stamp ...run the WinVnc and check what traffic has been captured.
Once you have captured that information..
You can change the Mode back to Server Control and then we can modify the policy.

"Change it to client mode.. Once policy is update Open the NTP Logs-Check the time stamp ...run the WinVnc and check what traffic has been captured." Set the group to client control, then go on the actual client machine physically and run VNC, then check NTP logs to see what has captured? I assume you mean open the SEP panel on the client machine, and check the CLIENT logs for network threat protection information. What makes you think the client will be logging this?

Well, I've updated the policy for the group to be Client controlled, and then connected from my machine to another client machine via VNC. VNC worked perfectly, and on both machines, I right-clicked and opened the green-circled, managed SEP clients and selected "Open Symantec Endpoint Protection". I then went to the third option, Network Threat Protection, and selected Options - > View Logs, and tried to view both Traffic and Packet logs. The only thing showing up for both clients was the rule for Block IPv6, nothing about VNC at ALL

 Not the rules i was talking about.. i was talking about the NTP-Traffic logs..
Once you check that it will show the exact connection details which helps in creating a re-fined rule
eg: Direction,Local port and Remote mac,ip,mac, rule name..etc.

Hi to all, I would like to block a specific application(notepad for example) how will I be able to apply this on the application and device policy? Thanks.

Open Application control policy

Check and Edit " Block application from running.
on the left select block these application then on the right add the application.
Either full address or just the app. name.

Click OK. 

Oh I see. I'll try that. Thanks a lot Vikram.