Symantec Endpoint Protection client cannot apply settings from its Manager - caused by error in firewall policy

book

Article ID: 157341

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) client machines are not updating with the latest policy version from the Symantec Endpoint Protection Manager (SEPM).

The clients are connected to the SEPM and can update other content.

When editing the settings for the client group on the manager there is no manager-side issue in generating the new policy; policy version numbers are updated in the console, and new policy XML files are generated in the data/outbox/agent sub-folder corresponding to the client group.

 

Enabling the SEP client debug.log shows the client generating the following error when attempting to apply the new policy downloaded from the SEPM:


11/12 17:05:26 [1520:1700] =======EXCEPTION: SndException ====
Reason Code: 0, Reason:invalid rawip protocol number, it should be 0-255
11/12 17:05:26 [1520:1700] =======EXCEPTION: SndException ====
Reason Code: 0, Reason:failed to import from DM
11/12 17:05:26 [1520:1700] =======EXCEPTION: SndException ====
Reason Code: 0, Reason:failed to import ServiceGroup from DM
11/12 17:05:26 [1520:1700] =======EXCEPTION: SndException ====
Reason Code: 0, Reason:fail to import ServiceGroupZone from DM
11/12 17:05:26 [1520:1700] =======EXCEPTION: SndException ====
Reason Code: 0, Reason:fail to import global group from profile
11/12 17:05:26 [1520:1700] import trident config for server profile failed

 

Cause

This issue can be caused by an incorrectly entered IP protocol number in one of the firewall policy rules on the SEPM.

Ethernet types are entered in the format 0xhhhh (hexadecimal - for example 0x86dd for IPv6) and IP protocol number are on the format ddd (0-255; for example 17 for UDP). Accidentally entering an intended Ethernet hexadecimal number (above 255) as an IP protocol number will pass the input validation for the field on the SEPM, but generate a policy file that the SEP clients fail to load.

 

Resolution

This problem is fixed in Symantec Endpoint Protection 12.1 Release Update 3 (12.1 RU3). For information on how to obtain the latest build of Symantec Endpoint Protection, read ‘Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control

Should the problem not have its root in IP/Ethernet protocol validation, please edit the firewall policy assigned to the client group on the SEPM, and correct the problematic firewall rule inside. After this the SEP clients can again download and apply the policy from their manager.