1. Symantec官方文档要求的SSC控制台搜索服务器时的防火墙端口访问策略Central management portsIntel PDS ServiceA Windows-based computer running a Symantec AntiVirus server installation runs the Intel PDS Service. Intel PDS listens for ping packets from servers. It responds with a pong packet containing information on how to communicate with RTVScan. Intel PDS listens on UDP port 38293 for ping packets. This value cannot be configured.Other server-to-server communicationsIn server-to-server communication, the sending Symantec AntiVirus server picks a random port, starting at TCP 1025 and moving up from that point. From that point, traffic is returned on that random port. To allow communication to pass through a firewall or gateway, create rules to allow any port to accept TCP communication on 2967 and 38293 and to allow outbound TCP communication from ports 2967 and 38293:TCPAllow 2967 to *UDPAllow 38293 to *TCPAllow * to 2967UDPAllow * to 38293 ----------------------------------------------------------------总结如下:省公司服务器为10.193.30.22及10.193.30.23各地市服务器any(或0~65535) ----->省公司服务器tcp 2967 各地市服务器any(或0~65535) ----->省公司服务器udp38293 省公司服务器any(或0~65535)----->地市服务器tcp 2967省公司服务器any(或0~65535)----->地市服务器udp38293 省公司服务器any(或0~65535)----->地市服务器tcp 80(tcp 80这一条是给省公司管理员查看各地市的防病毒报告页面用的)各地市服务器tcp 2967------->省公司服务器udp any(或0~65535)各地市服务器udp38293------->省公司服务器udp any(或0~65535)省公司服务器tcp 2967----->各地市服务器udp any(或0~65535) 省公司服务器udp38293----->各地市服务器udp any(或0~65535)有些防火墙(如,checkpoint)对UDP的数据包有特殊限制,如,UDP高端端口(大于1024的UDP端口)必须明确指明一条规则才允许通过,单纯的配成any to any 允许还不行。
checkpoint在全局属性里对UDP的包状态检测可能也需要做修改,参考下图1. 登陆SmartDashboard—Policy---Global Properties2.Stateful Inspection ----2. 安装策略.3。
