Data to gather if the Endpoint Protection Mac Network Content Filter is causing network interruptions
search cancel

Data to gather if the Endpoint Protection Mac Network Content Filter is causing network interruptions

book

Article ID: 236199

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Protection (SEP) for Mac agent has made use of a Network Content Filter (NCF) that installs with every agent since the new Mac agent design released with 14.3 RU1. The NCF interacts with Apple's Filter Data Provider which is otherwise known as the network stack. The Mac agent's Firewall and Intrusion Prevention System features rely on the NCF in order to properly evaluate the traffic in the network stack.

When troubleshooting network interruptions where you suspect that the SEP client is contributing to the issue, please first take a look at the below document which will assist in isolating the issue to either a feature, policy or possibly the NCF component itself.

How to troubleshoot SEP / SES for Mac - disabling network filtering and other components

If you have isolated the issue down to strictly whether or not the NCF component is enabled or disabled, then often the only workaround is to keep it disabled until the product team can identify and release a fix for the issue.

Environment

Endpoint Protection for Mac 14.3 RU1 and newer
macOS 10.15 and newer.

Resolution

The best thing to do at this point is to open a case with support and be prepared to collect network related data while reproducing the issue.

Here is a list of data that support may need to move forward.

  • SMC debug logging - While it is standard practice to enable smc debug logging for troubleshooting, in this instance it is optional. SMC debug does not show much in the way of NCF related activity. If you are running the SES Mac agent then you can ignore this since it does not have SMC debug logging as an option.

  • GatherSymantecInfo (GSI) should be collected as long as it is collected right after issue reproduction. The main data within this output for the NCF would be the CPU sampling of our system extension. This can show NCF interaction with our main system extension. See the document for obtaining this tool in the References section.

  • Packet capture - You can collect a packet capture when the issue is happening. You can make use of Apple's built-in command to perform this capture.
    Type "sudo tcpdump -i all -n -w ~/Desktop/trace.pcap" at terminal to start capturing. Stop capturing after the issue has been reproduced by typing Ctrl-C with the terminal window active.

  • Network extension subsystem logging (collected with sysdiagnose after reproduction)
    To enable this logging enter these two separate commands in terminal:

         sudo log config --subsystem com.apple.networkextension --mode persist:debug,level:debug

         sudo log config --subsystem com.apple.networkextension --category "" --mode persist:debug,level:debug

    To verify the logging status enter the following command in terminal:

         sudo log config --subsystem com.apple.networkextension --status

    Expected results:  “Mode for ‘com.apple.networkextension’ DEBUG PERSIST_DEBUG”

    After issue reproduction run sysdiagnose using 'sudo SysDiagnose' to collect the subsystem logging, then please disable networkextension subsystem logging with the following command.

         sudo log config --subsystem com.apple.networkextension --reset


Make sure to compress the data and upload it to your support case.


Reference articles:

How to Debug Symantec Endpoint Protection SymDaemon on the Macintosh client

Gathering information about Symantec products on a Mac using GatherSymantecInfo

How to generate star platform debug logging for Endpoint Protection Mac client