How to use " * " (Asterisk) or "Any" as Application when creating firewall rules in Symantec Endpoint Protection (SEP) 11.0 or 12.1. What is the difference between " * " and Any? Why does the "Allow all applications" rule not work with ICMP/ping or broadcast traffic?
When creating firewall a rule in the Symantec Endpoint Protection Manager (SEPM), there is a difference between leaving the Application field as "Any" and entering an asterisk (*) to match all applications.
This setting will include all packets, no matter which application they’re destined for/coming from or if they are not associated with a running application at all. Therefore this setting will match traffic such as incoming broadcast packets and Internet Control Messaging Protocol (ICMP).
- Asterisk (*)
This setting will include only packets that are associated with a running application matching the " * " rule for the file name. Incoming broadcast and ICMP traffic for example, would be excluded from a rule with this configuration.
The default "Allow all applications" rule that is included when a new firewall policy is created uses the asterisk/star (*) in the rule and therefore does not match incoming ICMP traffic. To allow a ping of the host running the Symantec Endpoint Protection client, the "Allow ping" rule should also be enabled.