Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

To block website through firewall

Created: 03 Jul 2009 • Updated: 21 May 2010 | 13 comments
ajeet kumar's picture
This issue has been solved. See solution.

How to block website through firewall policy?

Comments 13 CommentsJump to latest comment

Ajju's picture

You need to use Web filtering product to restrict your users from browsing. By this you can allow only sites approved by your organisation.

Symantec Endpoint Protection is only Desktop product used to protect
                    1) Local files and Folders,
                    2) Application and Device controll
                    3) Network Threat Protection (NTPprovides a firewall and intrusion prevention protection
to prevent intrusion attacks and malicious content from reaching the computer. The firewall allows or blocks network traffic based on various criteria that the administrator or end user sets.)

Sandeep Cheema's picture

These docs are gonna take you though it.

Though IPS:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008070803545448

Though NTP:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/6e23ee65720a6667ca25754d001a0b2b?OpenDocument

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Ajit Jha's picture

Hi you can create a firewall rule using Host Rule.  There u can list the DNS Domain like google.com and the rule should be from the source to destination where the source will be ur PCs whome u want to bloack the site access and the destination will be the websites.

Ajit

Regard's

Ajit Jha

Technical Consultant

ASC & STS

PGA_CR's picture

I think, this is the document that you need.  Obviously I think that  exist better ways(proxy) to do it.
Here´s is a document "How to Restrict Users to Specific Web Sites by Creating Firewall Rules for Managed Clients"

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/6e23ee65720a6667ca25754d001a0b2b?OpenDocument
Remember this work only for specifics URLs to make a kind of filter you will need a proxy o similar tool.

Please let me now if works !!!!  It should be!!!

JPG.

ajeet kumar's picture

Thank you all of you
i tried Ajit jha and PGA_CR steps but still client able to open blocked site. In this environment already proxy squied is running but i want
to block through SEP.

Vikram Kumar-SAV to SEP's picture

Websites can be blocked using NTP firewall create a rule for Host and select DNS domain.
Then give your website that you need to block.
The clients should have NTP installed and Enabled.
Then check if policy is getting updated.
Once the policy will update that website will be blocked.
I have blocked atleast hundreds of websites using the Firewall Rule.

For reference you can check the doc posted by sandeep and PGA_CR above.
If still your website is not getting blocked that means you are doing something worng in the configuration or the clients don't have NTP or they are not updating the Policies.
 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

ajeet kumar's picture

Client have NTP and it's enabled, policy serial number also updating. i am doing same steps as given in document.

Ajju's picture

Hi Ajeet,

Do you need to block entire Browsing for users?

Sandeep Cheema's picture

If you move the rule to the top, does it make a difference?

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

ajeet kumar's picture

HI Ajju. I want to block only some sites,

Hi Sandeep, what mean top? please clear it.

Sandeep Cheema's picture

Top of all the rules, It's processed sequentially.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Ajju's picture

If you need to block only some websites then create a rule in IPS 
           "Add a Custom Intrusion Prevention Signatures" to block.
 
Steps to add a signature to block

In the SEPM console, in the system navigation bar, click Policies.
In the View Policies navigation bar, select Intrusion Prevention.
In the Tasks list, click Add a Custom Intrusion Prevention Signatures.
In the Custom Intrusion Prevention Signatures window, set the Name of the policy to Block Yahoo (just an example, you can choose the website that you need to block).
 
Under the Signature tab, in the Signature Groups section, click Add.
In the Intrusion Prevention Signature Group dialog, add 
        Group Name 
        Description 
and then click OK.

Highlight the newly created Signature Group (Block Yahoo), then in Signature for this Group section, click Add.

In the Content section add the following text:

rule tcp, dest=(80), msg=“YAHOO BLOCKED”, content=www.yahoo.com

Under the Action section  select Block and Click OK to close the Add Signature window.
Click OK to close the Custom Intrusion Prevention Signatures window.

Once the Signature is created assign to a test group and verfiy.

Note: if you block www.yahoo.com and if you browse yahoo site in.yahoo.com
in.yahoo.com page will open.

So do not be in wrong impression that signature is created to block yahoo page but you are able to browse.

SOLUTION
NTC's picture

Hi everyone!!!

Thanks for the information, it worked!!!  i just have a doubt, i created a custom IPS rule and assigned to a specific group. However i have in that group some location rules and i see that this rule is applied in all my locations. Is there a way to specify where to apply this policy  with the desired location??

REgards,
NTC