Creating a firewall policy
The Symantec Endpoint Protection includes a default Firewall policy with default firewall rules and default firewall settings for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments, where limited boundary protection is available.
When you install the console for the first time, it adds a default Firewall policy to each group automatically.
Every time you add a new location, the console copies a Firewall policy to the default location automatically. If the default protection is not appropriate, you can customize the Firewall policy for each location, such as for a home site or customer site. If you do not want the default Firewall policy, you can edit it or replace it with another shared policy.
When you enable firewall protection, the policy allows all inbound IP-based network traffic and all outbound IP-based network traffic, with the following exceptions:
The default firewall protection blocks inbound and outbound IPv6 traffic with all remote systems.
IPv6 is a network layer protocol that is used on the Internet. If you install the client on the computers that run Microsoft Vista, the list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6.
The default firewall protection restricts the inbound connections for a few protocols that are often used in attacks (for example, Windows file sharing).
Internal network connections are allowed and external networks are blocked.
Table: How to create a firewall policy describes the tasks that you can perform to configure a new firewall policy. You must add a firewall policy first, but thereafter, the remaining tasks are optional and you can complete them in any order.
Table: How to create a firewall policy
Add a firewall policy
When you create a new policy, you give it a name and a description. You also specify the groups to which the policy is applied.
A firewall policy is automatically enabled when you create it. But you can disable if you need to.
See Enabling and disabling a firewall policy.
Create firewall rules
Firewall rules are the policy components that control how the firewall protects
client computers from malicious incoming traffic and applications. The
firewall automatically checks all incoming packets and outgoing packets against these
rules. It allows or blocks the packets based on the information that is specified in rules. You can modify the default rules, create new rules, or disable the default rules.
When you create a new Firewall policy, Symantec Endpoint Protection provides default firewall rules.
The default firewall rules are enabled by default.
See Setting up firewall rules.
Enable and customize notifications to users that access to an application is blocked
You can send users a notification that an application that they want to access is blocked.
These settings are disabled by default.
See Notifying the users that access to an application is blocked.
Enable automatic firewall rules
You can enable the options that automatically permit communication between certain network services. These options eliminate the need to create the rules that explicitly allow those services. You can also enable traffic settings to detect and block the traffic that communicates through NetBIOS and token rings.
Only the traffic protocols are enabled by default.
See Automatically allowing communications for essential network services.
If the Symantec Endpoint Protection client detects a network attack, it can automatically block the connection to ensure that the client computer is safe. The client activates an Active Response, which automatically blocks all communication to and from the attacking computer for a set period of time. The IP address of the attacking computer is blocked for a single location.
This option is disabled by default.
See Automatically blocking connections to an attacking computer.
Configure protection and stealth settings
You can enable settings to detect and log potential attacks on the client and block spoofing attempts.
See Detecting potential attacks and spoofing attempts.
You can enable the settings that prevent outside attacks from detecting information about your clients.
See Preventing stealth detection.
All of the protection options and stealth options are disabled by default.
Integrate the Symantec Endpoint Protection firewall with the Windows firewall
You can specify the conditions in which Symantec Endpoint Protection disables the Windows firewall. When Symantec Endpoint Protection is uninstalled, Symantec Endpoint Protection restores the Windows firewall setting to the state it was in before Symantec Endpoint Protection was installed.
The default setting is to disable the Windows firewall once only and to disable the Windows firewall disabled message.
See Disabling the Windows firewall.
Configure peer-to-peer authentication
You can use peer-to-peer authentication to allow a remote client computer (peer) to connect to another client computer (authenticator) within the same corporate network. The authenticator temporarily blocks inbound TCP and UDP traffic from the remote computer until the remote computer passes the Host Integrity check.
You can only view and enable this option if you install and license Symantec Network Access Control.
This option is disabled by default.
See Configuring peer-to-peer authentication
See Managing firewall protection.
See Best practices for Firewall policy settings
See Editing a policy.