Screencasts - Hilfsvideos

SEP 12.1 don't disable Windows Firewall entirely

Created: 23 Jan. 2013 | 9 Kommentare
das Bild der JFinnhults


I stumbled upon this error the other week at a customer. They had problems running GPRESULT on remote machines with SEP 12.1. All their machines have NTP enabled so it was easy for them to first blame that. To my knowledge NTP doesn't deny that kind of traffic. I tried to disable NTP without result. When clicking around a bit I found that Windows Firewall seemed to be enabled although we'd disabled it through SEP policy.

According to this article this is an expected behavior and shouldn't do any harm.

Advanced Settings for Windows 7 Firewall indicate that it is on, even when Symantec Endpoint Protection (SEP) Network Threat Protection (NTP) is installed

According to me this is exactly what's creating my problem!

When I disable Windows Firewall through the Advanced Firewall Settings I suddenly can do all sorts of GPRESULT on remote machines. Please note that we have made the settings in SEP Firewall Policy to Always Disable Windows Firewall.

This is what the "standard" Firewall Status originally shows

This is what the Windows Firewall with Advanced Security shows

Now I click on Windows Firewall Properties to really turn off Windows Firewall (this is easier done on larger scale through GPO)

This is how you'd want the Windows Firewall with Advanced Security to look like

Happy GPRESULT'ing!

Kommentare KommentareZum neuesten Kommentar

das Bild der Brɨans

You should open a case with Symantec on this.

You may be surprised to find this could be blocked.

What I would do is create a rule called Deny_All but set the traffic to Allow. Than move it to the bottom of the rule set. Run gpresult and monitor your log to see what is going on.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

das Bild der SebastianZs

- Do you have any windows group policy specifying that the windows firewall should be on?

- please check in firewall policy on SEPM - what option is selected for disabling the windows firewall:

...default option here is "disable once only" - so in case machine gets rebooted and any GPO Policy comes in that reenables the firewall - SEP won't be forcing on disabling it again.

das Bild der JFinnhults

SebastianZ: As I wrote in my first post we have a SEP Firewall Policy set to Always Disable Windows Firewall. I understand that a GPO could re-enable the Windows Firewall every cycle of GPUpdate if having that setting. But this behavior is also true for a workgroup-computer without GPO.

Brian81: What do you mean by "You may be surprised to find this could be blocked"? The SEP Firewall in it's standard setting evidently do not block this traffic, it's the Windows Firewall...

das Bild der SebastianZs

Do you see his problem only on windows 7?

What is the exact version of 12.1 clients?

das Bild der JFinnhults

I have only seen this on Windows 7, haven't tested it on XP/Vista.

The customer runs SEP 12.1 RU1 and apply policys in Server Mode. I managed to replicate the behavior on SEP 12.1 RU2 running policys in Mixed Mode. So neither version nor policy-mode seems to impact.

das Bild der SebastianZs

Did some documenation digging - the article TECH123729 is right on one point = this is default and expected bahaviour for 12.1 in windows 7 and above - the reason for it is that Windows Firewall with Advanced Security do include the IPSec component - if you disable the Windows Firewall you are disabling IPSec as well - SEP is then not disabling the Firewall completely but only taking it over and leaving IPSec "on" and working.

I remember there where some complains on other 3rd party firewall software Forum that theirs Firewall disabled Windows Firewall completely and with this the IPSec Rules were not working any more. The current design in SEP prevents that from occuring.

Is it is possible then that the IPSec rules have some impact on the GPResult functionality in your case?

das Bild der JFinnhults

I really can't say, but it's an interesting angle to investigate. This might be an issue to consider before proceeding with my "work-around"!

Thanks for your effort SebastianZ

das Bild der ArvindSindhus

We ate facing exactly the same issue, & on policy we have set SEP to Disable windows firewall every time. So under profiles in windows firewall everything is disabled, but Windows firewall service is running. So we are trying to push SCCM 2012 client on these machines, but is failing because of this, but if I manually disable the windows firewall, it how's well, so SEP is not actually disabling windows firewall. Pls suggest a workaround.


Arvind Sindhu

SA – Enterprise Infrastructure Services| Sapient Consulting Pvt. Ltd.


das Bild der JFinnhults

Have you tried to turn of Windows Firewall with Advanced Security through GPO? Don't stop the service, I think the service has to be turned on.

You find the setting here: Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Windows Firewall Properties. Change Domain Profile, Private Profile and Public Profile to Off.