A firewall policy has been created in the Symantec Endpoint Protection Manager (SEPM) to block a specific type of traffic (i.e. FTP) and this policy has been assigned to Symantec Endpoint Protection (SEP) clients.
However, these SEP clients neither block the specified traffic nor log events about it:
Nothing in the SEP client Traffic logs
Nothing in the SEP client Packet logs
Network activity shows 0 for inbound/outbound traffic (i.e. in the case of FTP, FTP.exe process shows no incoming/outgoing traffic)
There is an existing Intrusion Prevention System (IPS) Policy which lists an excluded host. Clients are communicating with this host using the specified traffic (i.e. the IP address of the FTP server is included in the IPS excluded hosts list)
This is working as designed.
When a SEP client is involved in communication with Excluded Hosts, it allows all inbound and outbound traffic from these hosts, regardless of the firewall rules and settings or IPS signatures. The IPS Exclusions apply to both the firewall and IPS components within the SEP client.
The SEPM Administration Guide PDF document further explains the behavior:
Setting up a list of excluded computers
The Symantec Endpoint Protection client may define some normal Internet activities as attacks. For example, some Internet service providers scan the ports of the computer to ensure that you are within their service agreements. Or, you may have some computers in your internal network that you want to set up for testing purposes.
You can set up a list of computers for which the client does not match attack signatures or check for port scans or denial-of-service attacks. The client allows all inbound traffic and outbound traffic from these hosts, regardless of the firewall rules and settings or IPS signatures.
Imported Document ID: TECH155246
Subscribing will provide email updates when this Article is updated. Login is required.