search cancel

Using " * " or "Any" in the Application field of a new firewall rule

book

Article ID: 151456

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to know the difference between use of the asterisk (*) or use of "Any" in the Application field when you create a firewall rule in Symantec Endpoint Protection (SEP), and why the default "Allow all applications" rule does not pass Internet Control Messaging Protocol (ICMP) or broadcast traffic.

Resolution

When you create a firewall rule in the Symantec Endpoint Protection Manager (SEPM), there is some difference between use of an asterisk and use of "Any" within the Application field of the rule, in order to match all applications.

  • “Any”
    "Any" matches all packets, regardless or which application acts as the source or destination. No running application need be associated with the traffic. Therefore this setting matches traffic such as incoming broadcast packets and ICMP traffic, such as ping requests.
  • Asterisk (*)
    Use of an asterisk in the Application field only matches packets that the system associated with a running application. Incoming broadcast and ICMP traffic for example, would be excluded from a rule with this configuration.

The default "Allow all applications" rule, included when creating a new policy uses the asterisk in the rule, therefore it does not match incoming ICMP traffic. To allow a ping of a host which employs the SEP firewall, you should use the "Allow ping" rule.