Hi guys,

How do I know if IPS is enable on SEPM im a bit confused.

When I pull a cumputer status logs, NTP is shown as Enabled, but when I go to policies as shown below that's what I see. I can pull the Sources of attacks report though. Am I confusing things here, my understanding is NTP uses IPS signatures so if the IPS policy is not assigned to any group how come I can pull the sources of attacks reports and how come NTP is enabled???  confused.

Hello,

In Symantec Endpoint Protection 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.

In order to enable IPS in Symantec Endpoint Protection 11.x, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.

I would suggest you to check these Articles:

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

http://www.symantec.com/docs/TECH104434

Best practices regarding Intrusion Prevention System technology

http://www.symantec.com/docs/TECH95347

Hope that helps!!

Best practices regarding Intrusion Prevention System technology

http://www.symantec.com/docs/TECH95347

Check this thread

https://www-secure.symantec.com/connect/forums/intrusion-prevention-policy

Hi guys ,

Thank you for the links I went through them...So IPS/NTP is the same thing.

So by default IPS is enabled on SEPM, do I need to assign the default IPS policy to Groups? or I only assign the policy if I have customised it...hope I make sense.

Currently the IPS policy is enabled but not assigned to any group..that's my worry.

Hello,

In Symantec Endpoint Protection 11.x, by default IPS policies are assigned to the Groups.

In case you are creating custom IPS signatures, you may assign the same to the groups.

http://www.symantec.com/docs/HOWTO55161

In order to enable IPS in Symantec Endpoint Protection 11.x, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.

Hope that helps!!

IPS is part of NTP. NTP consists of both IPS and the Firewall.

In your case, I believe you are talking about risk tracer, which will show the source of attacks.

See this KB

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

The number under Group or Location use count you will see is the number of groups where IPs Policy is applied.

NTP is combination for Firewall and IPS.So unless you have withdrawn the policy from any group the Policy is applied on the groups. The singature for NTP that you see is for IPS as for Firewall there is would be no definition/signature.

If you are using SEP 12.1 then Post Scan, DOS, Anti-mac spoofing are all part of Firewall Policy.

When you pull the report for Top Source of Attack, go to advanced, Event Type and select Only Intrusion Prevention to check if its actually IPS Logs or some other logs.

Hi Vikram,

Yes I did what you suggested and selected only IPS for the TOP Sources of Attacks and it displayed a lot data.

SO even though IPS is not assigned to any Groups or Locations on the Policies Tab, It is active on the machines because we have installed the NTP feature??

There are few policies which are enabled by Default

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

http://www.symantec.com/business/support/index?page=content&id=TECH104434