Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

SEP Network Threat Protection blocking network unexpectedly.

  • 1.  SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 15, 2010 06:40 AM
    Hi.
    SEP Network Threat Protection blocking network unexpectedly after running a day or so on client.Is there anyone how can help me with my problem? Got problem with unwanted, unexpected blocking of nettraffic on clients.When restarting, the client works find during the workday, the next day all application who need a netconnection fails.   This happens on client with SEP Network Threat Protection installed and enabled, those who don’t have network protection installed works fine. We are using SEP 11.0.5.333 on WinXPSP3 and Server2003R2sp2
     
    I’m grateful for tips on this matter.
     
    Regards GWD ;D


  • 2.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 15, 2010 06:46 AM
    Check the Traffic and packet logs, see what traffic is generated during this period that SEP NTP is blocking, Then  we can create exceptions for that


  • 3.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 15, 2010 06:47 AM
    From the NTP logs find out which is rule blocking the traffic and modify it to allow the traffic. 


  • 4.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 03:07 AM

    Thank you both for your reply.

    I looked for all entries in the traffic log, 2016 records, the first at 9. mars. In the traffic log all entry are like the 12. and the 15, except for two entries at the 13. Who has different mac addresses. In the packet log, there is no entries.

    As far as I can see this, the blocking of traffic is not a consequence of rules, but something happens during the nights, at different time. By looking in the eventlog I can see that there is problems with contacting the domain.

    Only on those who has the NTP installed this occurs, and mostly for those who keeps the computer on to next day, exceptionally some got this problem during daytime, after some hours work. I have installed NTP on a stationary for testing this as well, and every morning I have problem.

    I’m grateful to further ideas in this matter, thank you.

    Regards GWD ;D


    Traffic log
    15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
    15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
    13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xD99] 0.0.0.0 14-03-D8-A4-38-17 0 0.0.0.0 17-0D-98-02-0A-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
    13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xFE08] 0.0.0.0 02-03-46-62-12-38 0 0.0.0.0 61-12-38-BE-08-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
    12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
    12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
    12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
    12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
     



  • 5.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 03:24 AM

    Keep the rule "Block all other traffic" as the last rule in the firewall policy and try.



  • 6.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 03:30 AM

    Are you facing any particular problem because of this?

    Some applications not working etc....

    Your logs look like there is some unwanted traffic is present  in the network and SEP is blocking it..



  • 7.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 03:51 AM

    Thank you both for your

    Thank you for your reply.

    I looked for all entries in the traffic log, 2016 records, the first at 9. mars. In the traffic log all entry are like the 12. and the 15, except for two entries at the 13. Who has different mac addresses. In the packet log, there is no entries.

    As far as I can see this, the blocking of traffic is not a consequence of rules, but something happens during the nights, at different time. By looking in the eventlog I can see that there is problems with contacting the domain.

    Only on those who has the NTP installed this occurs, and mostly for those who keeps the computer on to next day, exceptionally some got this problem during daytime, after some hours work. I have installed NTP on a stationary for testing this as well, and every morning I have problem.

    I’m grateful to further ideas in this matter, thank you.

    Regards GWD ;D


    Traffic log
    15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
    15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
    13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xD99] 0.0.0.0 14-03-D8-A4-38-17 0 0.0.0.0 17-0D-98-02-0A-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
    13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xFE08] 0.0.0.0 02-03-46-62-12-38 0 0.0.0.0 61-12-38-BE-08-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
    12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
    12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
    12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
    12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic



  • 8.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 03:52 AM

    Thank you for your reply.

    I looked for all entries in the traffic log, 2016 records, the first at 9. mars. In the traffic log all entry are like the 12. and the 15, except for two entries at the 13. Who has different mac addresses. In the packet log, there is no entries.

    As far as I can see this, the blocking of traffic is not a consequence of rules, but something happens during the nights, at different time. By looking in the eventlog I can see that there is problems with contacting the domain.

    Only on those who has the NTP installed this occurs, and mostly for those who keeps the computer on to next day, exceptionally some got this problem during daytime, after some hours work. I have installed NTP on a stationary for testing this as well, and every morning I have problem.

    I’m grateful to further ideas in this matter, thank you.

    Regards GWD ;D


    Traffic log
    15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
    15.03.2010 12:48:09 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 12:47:54 15.03.2010 12:47:54 Block all other traffic
    13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xD99] 0.0.0.0 14-03-D8-A4-38-17 0 0.0.0.0 17-0D-98-02-0A-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
    13.03.2010 23:34:48 Blocked 15 Incoming ETHERNET [type=0xFE08] 0.0.0.0 02-03-46-62-12-38 0 0.0.0.0 61-12-38-BE-08-03 0 gwd SMNL Default 1 13.03.2010 23:33:46 13.03.2010 23:33:46 Block all other traffic
    12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
    12.03.2010 13:04:08 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:03:06 12.03.2010 13:03:06 Block all other traffic
    12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic
    12.03.2010 13:03:57 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 12.03.2010 13:02:56 12.03.2010 13:02:56 Block all other traffic



  • 9.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 04:06 AM

    Hi again.

    I have made no changes to the default rules, and the rules can only be changed from the management console. The latest rule is “block all other traffic”

    ;D
     



  • 10.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 04:13 AM

    Hi .

    I got problem with all programs who need a network connection, when the problem occurs. This unwanted traffic, I don’t know what it is, no mac address, this is strange.

    Thanks, regards ;D
     



  • 11.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 04:21 AM

    Just for testing set the action for “block all other traffic” as allow and see..



  • 12.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 04:29 AM
      |   view attached

    Hi.
    I’m not an experience user here ;D So I just discovered the possibility of file attachment, so then I hope my policy file can clarify some here.
    Thanks
    Regard GWD ;D
     

    .dat didn’t work, so I renamed the file.

    Attachment(s)

    txt
    GWD-Firewall_policy_dat.txt   7 KB 1 version


  • 13.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 16, 2010 04:35 AM

    Ok, so is done, and then we have to wait until tomorrow for the result.
    ;D
     



  • 14.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Mar 17, 2010 05:08 AM
    Hi.

    Since yesterday I have run NTP on my PC with allowing gall other traffic, showing in the log, It makes no different. When disabling NTP the traffic starts on the net immediately, most off the application are down, but some I can run again.

    There is no entries in the packets log, but the traffic looks like this.

    There is no newer entries then this record, looking at this at 0735 this morning
    16.03.2010 19:14:32 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 19:14:21 16.03.2010 19:14:21 Block all other traffic

    Regards GWD ;D


    Traffic log
    16.03.2010 10:39:03 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 10:38:48 16.03.2010 10:38:48 Block all other traffic
    16.03.2010 10:39:03 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 10:38:48 16.03.2010 10:38:48 Block all other traffic
    16.03.2010 10:39:03 Allowed 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 16.03.2010 10:38:48 16.03.2010 10:38:48 Block all other traffic
    16.03.2010 07:42:04 Blocked 15 Incoming ETHERNET [type=0xF10] 0.0.0.0 14-03-04-75-23-9E 0 0.0.0.0 EB-17-7C-D1-0A-03 0 gwd SMNL Default 1 16.03.2010 07:41:02 16.03.2010 07:41:02 Block all other traffic
    16.03.2010 07:42:04 Blocked 15 Incoming ETHERNET [type=0xEE0A] 0.0.0.0 04-42-28-F0-16-DF 0 0.0.0.0 DF-ED-0A-03-14-03 0 gwd SMNL Default 1 16.03.2010 07:41:02 16.03.2010 07:41:02 Block all other traffic
    15.03.2010 17:45:26 Blocked 15 Incoming ETHERNET [type=0x666D] 0.0.0.0 10-73-71-72-69-67 0 0.0.0.0 6B-28-01-02-02-03 0 gwd SMNL Default 1 15.03.2010 17:45:15 15.03.2010 17:45:15 Block all other traffic
    15.03.2010 15:04:42 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 15:04:31 15.03.2010 15:04:31 Block all other traffic
    15.03.2010 15:04:42 Blocked 15 Incoming ETHERNET [type=0x8808] 0.0.0.0 00-00-00-00-00-00 0 0.0.0.0 01-80-C2-00-00-01 0 gwd SMNL Default 1 15.03.2010 15:04:31 15.03.2010 15:04:31 Block all other traffic


  • 15.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Jul 23, 2010 01:59 PM

    Just for testing
    Add a blank rule and push it to the top. By default blank rule is allow all.



  • 16.  RE: SEP Network Threat Protection blocking network unexpectedly.

    Posted Jul 23, 2010 02:29 PM
    just try to migrate your client to SEP Latest package


    or might be  there some virus in your network, if your allow the all other traffic then your client will be on risk.
    dont remove NTP from clients it will protect your machine over the network.
    just check the firewall rule or Allow your block application ports only
    and also exculde the block application server IP on IPS policy  as well.