A firewall alert pop up appears on a Symantec Endpoint Protection (SEP) client, indicating there is traffic bound for a remote IP address. However, the alert does not contain information about what process or executable is generating the traffic. There is also not an option to create a rule based on the decision to allow or deny or log.
This kind of alert is generated by traffic generated by driver or other non-executable file or process.
Determine what else is occurring at the time of the pop up. For example, if VPN software has just been launched, there may be a process related to that software that is the source of the traffic. You may need to create a rule for that application if one does not exist, or modify an existing rule that is either too restrictive or does not contain enough appropriate match criteria.
Another cause for this kind of popup may be a virus infection. Be sure your AntiVirus/AntiSpyware definitions are up to date by running LiveUpdate and then run a full scan. If you are still experiencing popups, contact Symantec Technical Support for further assistance.
SEP clients using the Network Threat Protection (NTP) component (firewall), with notifications enabled.