Video Screencast Help

Allow users to modify firewall policies for each location based on company's base rules

Created: 28 Jan 2008 • Updated: 21 May 2010 | 5 comments

Please forgive me if this information has already been posted somewhere.  I just don't see it.  A nudge in the right direction would be helpful.

My question is how to allow all users to have control over firewall settings BUT have a base set of rules distrubted (and updated without overwriting custom rules by the user).  These are technically inclined people who at times need to open ports up.

I've got this partially working.  Take this for example-

I've got a client with there location types:

1) Connected locally to their domain (only)
2) Connected to their domain (either locally or via VPN) and connected to another subnet (one of their client's networks).  This would be either when
    a) They're connected locally in the office to the domain by VPN out to one of their clients or
    b) They're connected at one of their clients or at a hotspot and VPN back into their own network
3) Hotspot / Client location (no access to their domain)

We've got different firewall settings for each location, and they seem to work (mostly) as we want.  The problems will be a topic of a separate thread...

I've got the Client User Interface Control Settings set to mixed control for all locations, with the ability to manage firewall set to client.

No matter which location a user is connected to, their firewall, in unedited form has 4 lines (Allow NDISUIO.SYS, Allow RDP, Block IPv6 over IPv4, and Allow All).  We didn't set these up, and the 3 different firewall policies that we ahve for each location are not reflected.  Has anyone else experienced this or know what the problem may be?

We need to distrubute a base set of rules and then let the user go from there on a location by location basis.

The second part of this question is what would happen with updates once we get this working correctly.  Take, for example, a rule that blocks all incoming ip traffic (except for those previously allowed).  A user opens up access to port 12345 from ip address 1.2.3.4, which would have ordinarily be blocked by the generic block all rule.  This should work fine.  If on a company basis they decide to specifically close port 12345 and remove the block all other incoming after the user has already specifically allowed 1.2.3.4 thru, would the user's allow override for IP 1.2.3.4?

Thanks.



Message Edited by weinberk on 01-28-2008 01:32 PM

Message Edited by weinberk on 01-28-2008 01:33 PM

Comments 5 CommentsJump to latest comment

grettir's picture

Did you ever find a solution for this?  I'm experiencing the exact same issue: 4 bizarre default lines in the firewall rules, and no ability to add/remove/change them.

weinberk's picture
Nope - I never heard anything back here and my call to Symantec was utterly useless as well. 
 
Surely we're not the only people experiencing this.  I just wish that the Symantec moderators will take the time to reply and either set up a case or point us in the right direction.
 
v11.0.1000.1375 is no better than the initial release.  Slow systems (even new pc's with 4gb ram).  Server performance is abysmal even with dual and quad processors and 16gb ram.  What a mess.  I just wish there was something better out there that included managed firewall and av settings and we'd jump ship.  Any recommendations?
 
 
grettir's picture

It turns out that "Configure Firewall Rules" will only show you the user-specified firewall rules.  (In our case, a default set of four.)  In order to see the "global" firewall rules you have to go to: Status | Network Threat Protection | Options | View Network Activity | Tools | View Firewall Rules.

How's that for intuitive!  (Well, I guess it's just as intuitive as the fact that you have more options for changing settings from the "Status" page than you do from the "Change Settings" page.)

Also, "global" firewall rule changes are only reflected after a reboot.  Simply choosing "Update Policy" on the client isn't enough.

Next on my list: I haven't yet figured out how to alter that default set of four user-specified rules.

And after that: Why are Mixed Mode clients ignoring the "Enable NetBIOS protection" checkbox and "Tamper Protection" policy settings.

weinberk's picture
I went to status->network threat protection options->view network activity to bring up the "Network Activity" window.  Under the Tools menu there, I only have:
"Test Network Security"
 
I don't have the option for "View Firewall Rules."  I've tried this both with Client Control and Server Control set from the server console.

Grettir- what version are you running?  Settings to get the global rules to show?  Are you able to modify the global rules after you see them on the client?  Do the default user rules override the globals or is it the other way around?
 
THANKS!
kohlehydrat's picture

i don't have the option of viewing the firewall rules under tools|network security either and i also have the same four initial, global unchangeable rules. additionally, my restriction settings for individual applications (under "view appliction settings) do not take permanently, they are lost regularly and definately after each reboot.

any help with this appreciated.