search cancel

DNS lookups from Endpoint Protection Mac client are seen when domains are defined in Firewall rules

book

Article ID: 173943

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security

Issue/Introduction

When leveraging the Firewall component for the Symantec Endpoint Protection (SEP) for Mac client in which rules are defined that use domains (manually entered or via Host Groups), DNS lookups are seen post-policy updates, and reboot/client daemon restart.

Environment

macOS
SEP 14.2+

Resolution

This behavior is by design.

As soon as the SEP for Mac client receives a new firewall policy which contains hostnames defined in the rules, the client will perform a DNS lookup for each hostname in order to get the IP address. The actual request is made to the configured DNS server for the host. The DNS response will contain the IP address of the host which the client will use to create/update the Firewall rule specific to the queried host’s IPs. This allows the Firewall to block or allow those IPs as defined in the applicable rule(s).