Monitoring roaming
Symantec Endpoint Protection
clients from the Integrated Cyber Defense Manager (ICDm) cloud console

Roaming
Symantec Endpoint Protection
clients are the clients that intermittently connect to the management server. Roaming clients access the Internet at different locations, such as airports, hotels, or at other companies, where they are at higher risk.
Symantec Endpoint Protection Manager
provides on and off-network protection for these client computers using location awareness.
In 14.1 and earlier, roaming clients send critical events to the management server only when they are connected. As of 14.2, roaming clients automatically send critical events to the cloud console when the clients cannot connect to the management server. After the roaming client reconnects to the management server, the clients send any new critical events on the management server. The client is also no longer considered to be roaming.
Use the list of critical events as a way to strengthen the security policies on the
Symantec Endpoint Protection Manager
. For example, suppose Employee1's client has a higher number of denial-of-service attacks when Employee1 is located in a particular hotel. Therefore, you can create a location for that hotel and enable denial of service detections in the Firewall policy.
For more information, see:
Finding roaming clients and critical events
To find out which clients are roaming, look for the following items:
  • Whether the device is connected directly to the cloud console and not the management server.
  • The location as defined in the
    Symantec Endpoint Protection Manager
    location awareness policy
  • The external IP address of the client.
  1. To find roaming clients and critical events
  2. In the cloud console, go to
    Alerts and Events
    .
  3. On the
    Security Events
    tab, under
    Connection Type
    , click
    Cloud
    to display the events that the client sends to the cloud console.
    To display events that the management server sends, click
    Symantec Endpoint Protection Manager
    .
  4. Under
    Severity
    , click
    Critical
    .
    The cloud console filters and displays only the critical security events that the roaming clients detected.
  5. To find the location and external IP address, select the device and look for the Device Location entry.
What are the critical events that the cloud console displays?
The roaming client uploads the following security events to the cloud console:
  • Port scan events
  • Mac spoofing
  • Denial of service
  • Canary
  • IPS
  • Deception
  • Memory Exploit Mitigation
  • Host Integrity compliance
The roaming client uploads the following security events to the cloud console:
  • Antivirus
  • SONAR