When troubleshooting issues with SEDR you might notice that in some SEDR logs (for example "error.log") there are events of connections toward URL "central.crsi.symantec.com". Similar to these ones:

2021/05/10 09:09:04 [error] 3574#3574: *47757334 connect() failed (111: Connection refused) while connecting to upstream, client: <Client IP>, server: <SEPM IP>, request: "GET /AVIS/getSampleStatus HTTP/1.1", upstream: "http://<SEPM IP>:8009/AVIS/getSampleStatus", host: "central.crsi.symantec.com"

This URL is not listed among the URLs to allow for SEDR to work properly:

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html

but it is listed in the Submissions URLs to allow for the SEP clients:

https://knowledge.broadcom.com/external/article/154433/required-exclusions-for-proxy-servers-to.html

This is expected behavior as the SEP Endpoint is communicating with SEDR using URL "central.crsi.symantec.com", then SEDR terminates this connection and submits directly to our configured upstream server, "central.b6.crsi.symantec.com".

This is expected behavior which doesn't need further investigation.