ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection default firewall rules for Mac may not include some common macOS services

book

Article ID: 171774

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) 14.2 includes new firewall functionality, and default firewall rules may not include some common macOS services.

Cause

The firewall feature in SEP for Mac is new and under development. As this feature matures it will include more complete default firewall rules for common macOS network services. In the meantime, the default rule list may need editing.

Environment

macOS

SEP 14.2

Resolution

The following are suggested edits to SEP Firewall policy in Mac Settings (there are separate Windows Settings in firewall policy - these edits do not apply there).

Add these rules to Mac Settings rules, just above "Block broadcast and multicast traffic and don't log" rule:

Rule Name Action Host Service
Allow AirDrop Allow Any TCP [Destination* Port: 8770] Both directions.
Allow Airport Allow Any UDP [Destination* Port: 192] Both directions
Allow Kerberos Allow Any TCP & UDP [Remote Port: 88] Both directions
Allow outgoing DLP Allow Any TCP [Remote Port: 10443] Outgoing
Allow outgoing RDP Alow Any TCP [Remote Port: 3283] Outgoing
Allow outgoing JAMF Allow Remote IP TCP [Remote Port: 8443] Outgoing
Allow LDAP Allow Any TCP [Remote Port 389] Both directions
TCP [Remote Port 3268] Outgoing

*Using "destination port" will allow outgoing and incoming connections. If you want to allow outgoing connections only, use "remote port". To allow incoming connections only, use "local port"

Edit these existing rules in Mac Settings rules - changes in red:

Allow web traffic  Allow Any TCP & UDP [Remote Port: 80, 443] Outgoing - remove UDP
Allow Local File Sharing to private IP addresses Allow Any Add - UDP [Remote Port: 138] Outgoing

For allowing other applications, for example Perforce which uses TCP port 1666, explicitly add a rule like below  

Allow Perforce Allow Any TCP [Remote Port: 1666] Outgoing

References

TCP and UDP ports used by Apple software products