Symantec Endpoint Protection - Network Threat Protection traffic log shows "GUI%GUICONFIG#[email protected]#Normal" instead of the rule function or the rule name


Article ID: 177853


Updated On:


Endpoint Protection


The text "GUI% GUICONFIG#[email protected]#Normal" is shown from the client side rules (Mixed or Client control mode) when viewing the traffic log, and is difficult to distinguish what the rule function or rule name is.


This problem is fixed in Symantec Endpoint Protection 11.0.6000.550 (RU6) to show the rule name. For information on how to obtain the latest build of Symantec Endpoint Protection, read Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x.

Workaround prior to RU6 release to find the actual rule name or function:
1. Open Symantec Endpoint Protection (SEP) client.
2. Under Status > Network Threat Protection > Options, click Configure Firewall Rules.
3. In the Configure Firewall Rules dialog box you will see a list of rules, the first rule used is at the top which will be rule 100 (or position1), the next rule down is 101, 102, 103, 104, and so forth...

4. When viewing the traffic log from the SEP client (View Logs > Network Threat Protection > View Logs > Traffic Log) you may see an action that shows a Rule similar to one of these:
5. Examples that correlate the traffic log entries with the client-side rules:
To find the function of rule "GUI%GUICONFIG#[email protected]#Normal_102", open Configure Firewall Rules dialog box on the SEP client and count down to position three from the top, the "GUI%GUICONFIG#[email protected]#Normal_102" represents (same as) the "Block IPv6 (Ethernet type 0x86dd)".

To find the function of rule "GUI%GUICONFIG#[email protected]#Normal_105", open Configure Firewall Rules dialog box on the SEP client and count down to position six from the top, the "GUI%GUICONFIG#[email protected]#Normal_105" represents (same as) the "Allow All Test Rule".

When looking at the screenshot, the first five rules listed from the top are default built-in client-side rules with a fresh install and are used when the managed SEP client is in Mixed control or Client control mode, from the traffic log the rules will show as (...Normal_100 to ...Normal_104). When the traffic log shows rules activated beyond (...Normal_104), this is a clear indication that the user has created their own rules.

The rule position or priority can be changed for any of the rules. For example, the user created rule called "Allow All Test Rule" can be moved to the top of the list, (position 1), when the rule is activated, the traffic log will show it as rule "GUI%GUICONFIG#[email protected]#Normal_100".