Norton Firewall reporting inbound Activity

NIS 2012 v 19.8.0.14

 

Ok I noticed an inbound Firewall activity on the norton Firewall Log.

 

I use a router and was under the impression that there should be no inbound firewall activity logged.

 

Here is the notification. I "x" out some parts just in case it would disclose too much information

the 192.168 item is not the assigned 192.168.x.x  for my PC or my router

 

Activity   Rule "Default Block UPnP Discovery" stealthed (192.168.x.x  port SSDP 1900)

 

                Inbound UDP packet

 

Local Address Service is (239.255.2xx.2xx, port ssdp (1900)  )

 

Remote address service is (192.168.x.x  port 52xxx)

 

Process Name C:\Windows\System32\svchost.exe

 

So I thought with a router I am not suppose to see any inbound  connections?

1. Is this entry saying inmbound was BLOCKED?

 

2. Any one help me understand why a connection was even shown since I have a router?

 

Thanks in advance

NIS 2012 v 19.8.0.14

 

Ok I noticed an inbound Firewall activity on the norton Firewall Log.

 

I use a router and was under the impression that there should be no inbound firewall activity logged.

 

Here is the notification. I "x" out some parts just in case it would disclose too much information

the 192.168 item is not the assigned 192.168.x.x  for my PC or my router

 

Activity   Rule "Default Block UPnP Discovery" stealthed (192.168.x.x  port SSDP 1900)

 

                Inbound UDP packet

 

Local Address Service is (239.255.2xx.2xx, port ssdp (1900)  )

 

Remote address service is (192.168.x.x  port 52xxx)

 

Process Name C:\Windows\System32\svchost.exe

 

So I thought with a router I am not suppose to see any inbound  connections?

1. Is this entry saying inmbound was BLOCKED?

 

2. Any one help me understand why a connection was even shown since I have a router?

 

Thanks in advance

Thanks Bomb

But is this entry saying the internal attempt was blocked?

Yes, you probably have your Norton network security level set to "Protected"  which is a level above that of Windows and/or your router settings for uPnP, so it simply doesn't allow that traffic. There is no security problems with this; on the contrary, there is a theoretical benefit of not allowing it (although this can also be accomplished by disabling the uPnP and SSDP Discovery services completely, and turning off uPnP in the router settings - I have, for example - if you know you don't need those features).

 

This happened when you had NIS 2011 installed as well. I don't remember the logging capabilities of NIS 2011, but it is quite possible that they were expanded with the 2012 version. I remember the 2011 version having much improved logging compared to 2010, for example.

 

If Norton logged every little piece of network traffic, the log would fill up in hours with a router, in minutes without.

Hi Calls,

 

As Bomabastus said, this is local traffic on your own network behind the router, not internet traffic that the router would block.  The types of local traffic allowed by the Firewall will depend on whether you use sharing on your network, which will determine how Norton configures the  network trust level in the Network Security Map.  What you are seeing would indicate a Shared network, where protocols enabling devices on your local network to communicate with each other are allowed.  If you do not have other devices, or you wish to isolate your PC from them, use the Network Security Map to set the network trust level to Protected (LAN traffic subject to same firewall rules as internet traffic) or Restricted (no communication at all).


SendOfJive wrote:

Hi Calls,

 

What you are seeing would indicate a Shared network, where protocols enabling devices on your local network to communicate with each other are allowed


 

I would say it indicates a Protected network, since the traffic is being blocked by Norton. More likely, it is uPnP turned on in the router or the SSDP Discovery Service initiating the traffic. On a Shared Network, Norton would have allowed it, not blocked it.

Thanks all

I’m assuming that the rule saying “Default Block UPnP Discovery” means that the attempt to discover was blocked? Not sure what the stealthed part meant though


Bombastus wrote:
I would say it indicates a Protected network, since the traffic is being blocked by Norton.

Yes, you are right...that is what I meant.  Thanks for clarifying that.

 

well I think I Stumbled upon the answer, or at least part of the answer.

The 192.168.x.x (I left out those 2 numbers on purpose) is actually assigned to my PS3 which I had connected to my router wirelessly. When I look at the PS3 internet connection settings, it shows UPnP as enabled. Now I diasble the internet connection for the PS3 unless I’m specifically playing someone online. I tried an experiment and enabled the internet connection on the PS3. At that same time my Norton Firewall shows inbound attempts as I noted in the first post here. I think that is why that log entry only showed around the same time as PS3 was internet.
Does that make sense?


Calls wrote:
Does that make sense?

Yes, that is exactly the situation that Bombastus and I were describing earlier.