Endpoint Protection

We are receiving the following messages on a few of our laptops under the NTP Traffic Logs:

3 5/17/2011 12:58:55 PM Blocked 15 Incoming ETHERNET [type=0x0] 0.0.0.0 9C-AF-CA-0F-67-DD 0 0.0.0.0 00-27-10-95-67-50 0    Default 1 5/17/2011 12:57:54 PM 5/17/2011 12:57:54 PM Block all other traffic 

From what I have read the Type 0x0 and 0.0.0.0 traffic is an ARP Probe  "An ARP probe is an ARP request constructed with an all-zero sender IP address. The term is used in the IPv4 Address Conflict Detection specification (RFC 5227). Before beginning to use an IPv4 address (whether received from manual configuration, DHCP, or some other means), a host implementing this specification must test to see if the address is already in use, by broadcasting ARP probe packets."

I can tell from the mac addresses that it is traffic coming from a Cisco device (access point possibly) to the wireless adapter. 

I called Symantec and the only solution they said was to enable "Allow token ring traffic".  Not my issue. 

Anyone else know of any resolutions to this? 

if you have this rule Blocked 15 Incoming then it is set to block, run the network sniffer to know more on the protocol and allow the traffic, if it is required.

Hello,

Please follow the Steps and Edit the firewall policy associated with the clients to add a corresponding rule as follows:

• Open the SEPM, click the Policies tab, and edit the policy you wish to change
• Add a blank rule
• Modify the “Host” properties so that the “Source/Destination” IP is the address you wish to block (Local/Remote is less generic, and requires the local address of the client on which the rule should be applied)
• Change the “Action” to Allow
• Save and deploy the policy as needed.

This will Allow all incoming and outgoing traffic associated with the specified IP address.