I have an auditor that needs me to run a report which will show them which firewall rules and scanning exemptions are setup on our domain. Is there a way I can do that?
This document (7021268) is provided subject to the disclaimer at the end of this document.
Here are the IP addresses that need to be allowed to connect to your Email Server and deliver mail:
These IP addresses must be able to connect to your SMTP Gateway to ensure successful Email delivery.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.
We are running a trial on Networker and are attempting to do a file level restore from VM that was backed up up to a Data Domain. The Data Domain is on a different network behind firewalls and NAT is used.
From the vProxy logs we see the nfs add from the Data Domain but its using hard codes IP addresses.
2018/07/06 14:43:59 TRACE: [@(#) Build number: 194] Output of ‘nfs add /data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44 10.33.160.75 fe80::250:56ff:fe93:2ec0 10.97.167.48 fe80::225:b5ff:fe03:22c (rw,no_root_squash,no_all_squash,secure)’ on host ‘kdc-dd1.bus’:
2018/07/06 14:43:59 TRACE: [@(#) Build number: 194] NFS export for “/data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44” added.
It then fails to create the datastore I’m assuming because the Data Domain knows nothing about those IPs as they are real addresses – not the NATed ones that would be expected on the Data Domain network side.
2018/07/06 14:43:59 INFO: [@(#) Build number: 194] Removing NFS export at ‘kdc-dd1.bus:/data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44’
2018/07/06 14:44:01 TRACE: [@(#) Build number: 194] Output of ‘nfs del /data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44 10.33.160.75 fe80::250:56ff:fe93:2ec0 10.97.167.48 fe80::225:b5ff:fe03:22c’ on host ‘kdc-dd1.bus.unisys.net.nz’:
2018/07/06 14:44:01 TRACE: [@(#) Build number: 194] Deleted 4 NFS clients.
2018/07/06 14:44:01 TRACE: [@(#) Build number: 194] (End of command output)
2018/07/06 14:44:01 INFO: [@(#) Build number: 194] Unmounting after mount failure: Unable to create datastore ‘EMC-FLR-IRTTENVP01-1525389553’ using ‘kdc-dd1.bus:/data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44’: ServerFaultCode: An error occurred during host configuration.
2018/07/06 14:44:01 TRACE: [@(#) Build number: 194] Entering doUnmount
2018/07/06 14:44:01 TRACE: [@(#) Build number: 194] Connecting to backup device ‘kdc-dd1.bus’
2018/07/06 14:44:02 NOTICE: [@(#) Build number: 194] DD Model = “DD6300”, DDOS Version = “Data Domain OS 18.104.22.168-579789”, DD Boost Version = “22.214.171.124-569771”.
2018/07/06 14:44:02 INFO: [@(#) Build number: 194] Releasing datastore ” ()
2018/07/06 14:44:02 INFO: [@(#) Build number: 194] Removing NFS export at ‘kdc-dd1.bus:/data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44’
2018/07/06 14:44:03 ERROR: [@(#) Build number: 194] Unable to remove NFS export at ‘kdc-dd1.bus.unisys.net.nz:/data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44’: Unable to run SSH command, error Unable to get command output of ‘nfs del /data/col1/kdc-nsrvf1/FLR-IRTTENVP01-00e3c487-b721-45d6-9789-83be01dacb44 ‘, error Process exited with: 34. Reason was: ()
We want the vProxy to use the hostnames – not the IPs. Does this suggest the vProxy is not supported for NAT. I can’t find anything in the documentation on this?
Any help would be appreciated.
Just wondering if anyone has seen issues with setting up the VPN tunnel failover monitoring for WSS on a palo firewall
we are trying to set it to monitor the sydney data centre IP
peer ip: 126.96.36.199
but the remote endpoint symantec gets no response to the heart beat/keep alives and keeps trying to renegotiate keys when no response is received
to be clear the palo guide has been followed to the letter – but is light on the details to set the monitoring
it gives the following detail on monitoring
Assign the Monitor.
from the palo log
monitor status: down
monitor dest: 188.8.131.52
monitor interval: 3 seconds
monitor threshold: 5 probe losses
monitor packets sent: 825
monitor packets recv: 0
monitor packets seen: 0
monitor packets reply:0
the tunnel comes up and runs fine but when monitoring is set no response is recieved
Is there a way to use SEP 14 to block network access on Windows 10 1703 and older Windows 10 versions?
we have some win10 users who are dragging their feet on upgrading to Win10 1709 and so we want to see if we can use SEP14 to implement Firewall Rules or IPS or anything in SEP’s arsenal to automatically block network access if the OS is Windows 10 1703 and older Win10 versions? and automatically unblock when Win10 1709 is installed?
Running SEPC on a number of OS X 10.13.6 machines.
In the documentation we find:
“For OS X devices, there is no difference in the functionality between the More Secure and Only Outbound & Trusted App levels.”
The documntaion also mentions that at “Sercure” and “More Secure” level:
“Custom rules are processed first followed by the default rules.”
A test using 2 machines using a private network 10.1.15.xxx
10.1.15.200 — We set up a ftp server on port 45000 and a file server on port 8080
10.1.15.4 — Used to access the ftp and file server to see how we can configure the Firewall(s)
10.1.15.200 Firewall Level set to “Secure”:
In this test we were hoping to see a general permissive Firewall on connections from local network with possibility to block certain machines, ports etc.
Regardless any other settings the Firewall accepts ALL connections from the local network to reach ports 45000 and 8080.
– Adding a test rule “BLOCK ALL”, specifying “Block, Inbound & Outbound, Any computer, All communication” –> The Firewall still accepts all connection attempts from the local network.
– Adding an explicit Firewall Rule to Block TCP&UDP on ports 45000 and 8080 on connections from 10.1.15.4 –> The Firewall still accepts all connection attempts from computer 10.1.15.4.
Turning the test around –> 10.1.15.200 Firewall Level set to “More Secure”:
In this test we were hoping to see a more protective Firewall that would block most connections, but being able to add rules to allow certain traffic — remembering the documentation saying “Custom rules are processed first followed by the default rules.”
Regardless any other settings the Firewall blocks all attempts to connect on ports 45000 and 8080.
– Adding a test rule “ALLOW ALL”, specifying “Allow, Inbound & Outbound, Any computer, All communication” –> The Firewall blocks all connection attemts on mentioned ports.
– Adding an explicit Rule to Allow TCP/UDP on ports 45000 and 8080 connections from 10.1.15.4 –> The Firewall Blocks all connection attempts from computer 10.1.15.4
– On the 10.1.15.200 -> In the SEPC -> Security Historty -> Connection Blocking -> ‘right-click’ a blocked event and select “Trust address…” -> “Add to Trust Zone” (Pop-up window saying ‘…will permanently allow the computer to connect…”) –> The result is still that the Firewall continues to Block all connections from the computer just added to the “Safe Zone”.
Conclusion so far:
No matter how you set the different Rules and/or switches — The Firewall behaviour looks to be determined only by installed programs and the “Firewall Level”, and your custom rules are not used or ignored.
Anyone that has managed to configure the SEPC Firewall for OS X and made custom rules to work?
we’re using sep 14.x with activated sep firewall on our W7 Systems. Now I’m just wondering about, why a detected port scan does not trigger an automatic block of the attackers IP address. Could anyone tell me when a logged port scan detection triggers an automatic block and when not. My understandig is, if there is an detected port scan then, if its enabled, IPS is generatig an active response, which means blocking the attackers IP address for a period of time.
till August, 14th this works fine, since then no attackers IPs where blocked anymore. Why?
Thanks in advance for useful suggestions 😉
With block: 2018-08-21 09_55_37-Symantec.png
Without block: 2018-08-21 09_57_04-Symantec.png
We have few computers which are SEP clients and have been recently “disconnected” from internet access on our router firewall. We are using external LiveUpdate server and the specific LiveUpdate addresses also were configured (allowed) on firewall. All the virus definition and client versions are up to date so it works, but after this whole operation we are constantly getting e-mail notification from SEPM and the reports are saying “Over the last 3 days the reputation check for unconfirmed files was unsuccessful due to network errors” (something like that, I had to translate it) – yes, this information is provided every 3 days for every client without internet access.
Should I add some address/addresses to firewall list or configure something in SEPM? Is Symantec cheking reputation of some files online in this scenario?
Would be gratefull for every kind of help or suggestions.
What is the argument for leaving on the SEP firewall when you are on your corporate LAN and behind the corporate firewall?
The argument to disable the firewall would be to reduce complexity and any potential issues with some applications, but why would this be a bad idea?
Location awareness is in use when off LAN (i.e can’t connect to management server) to then enable the firewall, so remote users are still protected.
I would like to create a MAC client package without the firewall but unlinke Windows packages I cant seem to find a way to exclude features for the SEP client.
We have a user who travels frequently, and use multiple VPN clients to connect to multiple development environment and the SEP client prevent him to access some systems.
We found out in the logs some blocked connection to certain remote IPs, I have tried creating exclusions in the firewall policy but there are just too many to create for him.
He would like to use the MAC OSX default firewall and keep the Virus protection.