Video Screencast Help

How to block range of IP addresses (Subnets) using Symantec Endpoint protection Firewall rule

Created: 15 Dec 2009 • Updated: 15 Dec 2009 | 9 comments
Language Translations
Rafeeq's picture
+9 9 Votes
Login to vote

 How to block range of IP addresses (Subnets) using Symantec Endpoint protection Firewall rule

Some times we might want to block IP addresses ranges using Firewall rules

For example you might want to use specific firewall policies just for IPs from 10.0.0.1 to 10.0.0.220

T he existing default firewall policies does not allow you to add multiple IP addresses

We just get one IP address to add

In order to use my custom IP range in firewall rules I need to create HOST GROUPS

 

HOST GROUPS in simple terms

--------------------------------------------

 

Host group is a collection of DNS domain names, DNS host names, IP addresses, IP ranges, MAC addresses, or subnets that are grouped under one name so that you don’t need add IPs individually

 

ADDING HOST GROUPS (Step 1)

-------------------------------------------

In the console, click Policies.

 

Expand Policy Components, and then click Host Groups.

 

Under Tasks, click Add a Host Group.

 

In the Host Group dialog box, type a name, and then click Add.

 

In the Host dialog box, in the Type drop-down list, select one of the following hosts:

 

IP range

 

Enter the information for each host type.

Click OK.

Click OK.

 

Using Host Groups in Firewall Policy

--------------------------------------------------

Once you have Created host groups

open console, click policies

Select Firewall policy

Select rules

Create a blank rule

I made it as BLock IP Range

Double click on the Host (By default it will be any)

Now you will see your host group what you added in Step1

Define host relationship

Select if you want to make it local/remote or source or destination

 (Source/Destinatio is dependent on the direction of traffic. In one case the local client computer might be the source, whereas in another case the remote computer might be the source)

 (Local and remote :The local host is always the local client computer, and the remote host is always a remote computer)

Check the host group

Click Ok

Select the action as Block

Click Ok

Click Ok

Apply the policy

That’s it we should good with our rule for that particular IP ranges.

 

Hope this was helpful.

 

 

 

Comments 9 CommentsJump to latest comment

Fatih Teke's picture

It is easy to use. and very helpfully
Thank you.

 Everything works better when everything works together.

0
Login to vote
AravindKM's picture

Good One .Simple steps in simple language.. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
MiRzA's picture

Really good one but which type of tragic it will block

and i m confusing with source and destination or local and remot option,, any one can explain it

0
Login to vote
meraj2k's picture

Hi,
I want to block the source from where the virus threats are coming from.

Is there a way that I can do that to our SEPM.

Most of the times our SEPM clients are getting threats as w32.downadup, Infostealer, trojan horse,W32.Spybot.Worm, M.p.jpg, winxp.jpb and others.

Thanks,

Meraj

0
Login to vote
mtju's picture

nice article! has anyone tried this?

I imagine that if the list becomes too large it would greatly impact client performace. Wondering how low the list of hosts/ IPs/ subnets people have setup before they noticed a degradation in client performance.

0
Login to vote
blackvirus009's picture

 

guyz i have a question. 

i have monitor Netwrok Threat Protection logs and viewed ful report. in that report i saw that some IPs are attacking my webserver. my web server is connected with my LAN and there is another NIC card installed on it and from there it is connected to WAN (with Live IP). 

question is what are the corrective and preventive actions that i can perform so that these attacks are stopped.?

also how can i block IPs in SEPM?

0
Login to vote