Endpoint Protection default firewall rules for Mac may not include some common macOS services
Article ID: 171774
Updated On:
Products
Issue/Introduction
Symantec Endpoint Protection (SEP) for Mac includes new firewall functionality, and default firewall rules may not include some common macOS services.
Environment
macOS
SEP 14.2
Cause
The firewall feature in SEP for Mac is new and under development. As this feature matures it will include more complete default firewall rules for common macOS network services. In the meantime, the default rule list may need editing.
Resolution
The following are suggested edits to SEP Firewall policy in Mac Settings (there are separate Windows Settings in firewall policy - these edits do not apply there).
Add these rules to Mac Settings rules, just above "Block broadcast and multicast traffic and don't log" rule:
| Rule Name | Action | Host | Service |
| Allow AirPlay (Screen Mirroring, et al) |
Allow | Any | TCP:[Destination=7000,49152-65535] UDP:[Destination=5353,49152-65535] |
| Allow Printing | Allow | Any | TCP:[Destination=631] UDP:Destination=161] |
| Allow AirDrop | Allow | Any | TCP [Destination* Port: 8770] Both directions. |
| Allow Airport | Allow | Any | UDP [Destination* Port: 192] Both directions |
| Allow Kerberos | Allow | Any | TCP & UDP [Remote Port: 88] Both directions |
| Allow outgoing DLP | Allow | Any | TCP [Remote Port: 10443] Outgoing |
| Allow outgoing RDP | Alow | Any | TCP [Remote Port: 3283] Outgoing |
| Allow outgoing JAMF | Allow | Remote IP | TCP [Remote Port: 8443] Outgoing |
| Allow LDAP | Allow | Any | TCP [Remote Port 389] Both directions TCP [Remote Port 3268] Outgoing |
| Allow Link-local Ephemeral TCP (Universal Control, other services?) |
Allow | Local AND Remote host in Link-local network range (169.254.0.0/16 or fe80::/10) | Local AND Remote TCP Ephemeral Port [49152-65535] |
*Using "destination port" will allow outgoing and incoming connections. If you want to allow outgoing connections only, use "remote port". To allow incoming connections only, use "local port"
Edit these existing rules in Mac Settings rules - changes in red:
| Allow web traffic | Allow | Any | TCP & UDP [Remote Port: 80, 443] Outgoing - remove UDP |
| Allow Local File Sharing to private IP addresses | Allow | Any | Add - UDP [Remote Port: 138] Outgoing |
For allowing other applications, for example Perforce which uses TCP port 1666, explicitly add a rule like below
| Allow Perforce | Allow | Any | TCP [Remote Port: 1666] Outgoing |
References
TCP and UDP ports used by Apple software products and other 3d party tech support pages may not be clear on port requirements. In these cases, a useful technique to isolate the necessary protocols and ports is to create an "allow" rule at top of SEP Mac firewall rules for the IPv4 and IPv6 addresses of the desired resource (i.e. an Apple TV, printer, etc). Use "ping hostname" and "ping6 hostname" commands to get these addresses. (you may need append ".local" to hostnames for local networking). Set this rule to write to traffic log and create an "Allow All" rule just below it that does not write to log. Then connect to the resource and note the destination ports and protocol (UDP/TCP) used in SEP client logging. Create a second more refined firewall rule above the first one and allow all hosts but only the destination ports seen in client logging. Leave logging disabled on this new rule, and continue testing and note any new ports/protocols that are still logged by the "Allow IP address" rule and continue refining the top rule. If you see what appears to be random non-ephemeral port usage, e.g. 9616/9623/9286, then allow a range like 9000-10000. Destination port 49152 or higher in logging generally indicates the application is using a random selection in the ephemeral range and you should allow 49152-65535.
Feedback
