search cancel

Unexpected behavior from Endpoint Protection for Mac firewall when rules are using incompatible criteria

book

Article ID: 173920

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Older versions of the Symantec Endpoint Protection Manager (SEPM) allowed the copying and pasting of firewall rules between the Windows and Mac sections of policy. This may result in unexpected behavior from the SEP for Mac firewall. Other rule components, such as Host Groups, also must not contain incompatible criteria if used with SEP for Mac.

Symptom examples:

  • System may become unresponsive
  • Network traffic may not be blocked or allowed as expected.
  • Constant IPS detections of Trojan.Sibakdi or Trojan.Backdoor — this is caused by using Host Groups that include DNS Domains

Cause

Unexpected SEP for Mac firewall behavior may be due to incompatible rule criteria. Criteria that are not supported in SEP for Mac:

  • Application name
  • Adapter
  • DNS domain
  • Local Subnet
  • MAC address

Resolution

Recreate any related firewall policy from scratch.

Do not copy/paste rules between Windows and Mac sections of SEP firewall policy; SEPM version 14.2 RU1 MP1 and newer does not allow this operation, but a bad policy may have been inherited from an older SEPM that has been upgraded. It is also possible that the firewall policy is using a Host Group that includes Mac-incompatible criteria.