Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Enable IPS

Created: 20 Feb 2013 | 8 comments

Hi guys,

How do I know if IPS is enable on SEPM im a bit confused.

When I pull a cumputer status logs, NTP is shown as Enabled, but when I go to policies as shown below that's what I see. I can pull the Sources of attacks report though. Am I confusing things here, my understanding is NTP uses IPS signatures so if the IPS policy is not assigned to any group how come I can pull the sources of attacks reports and how come NTP is enabled??? frown confused.

Comments 8 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

In Symantec Endpoint Protection 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.

In order to enable IPS in Symantec Endpoint Protection 11.x, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.

I would suggest you to check these Articles:

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

http://www.symantec.com/docs/TECH104434

Best practices regarding Intrusion Prevention System technology

http://www.symantec.com/docs/TECH95347

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ashish-Sharma's picture

Best practices regarding Intrusion Prevention System technology

http://www.symantec.com/docs/TECH95347

Check this thread

https://www-secure.symantec.com/connect/forums/intrusion-prevention-policy

Thanks In Advance

Ashish Sharma

Eyal's picture

Hi guys ,

Thank you for the links I went through them...So IPS/NTP is the same thing.

So by default IPS is enabled on SEPM, do I need to assign the default IPS policy to Groups? or I only assign the policy if I have customised it...hope I make sense.

Currently the IPS policy is enabled but not assigned to any group..that's my worry.

Mithun Sanghavi's picture

Hello,

In Symantec Endpoint Protection 11.x, by default IPS policies are assigned to the Groups.

In case you are creating custom IPS signatures, you may assign the same to the groups.

http://www.symantec.com/docs/HOWTO55161

In order to enable IPS in Symantec Endpoint Protection 11.x, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Brɨan's picture

IPS is part of NTP. NTP consists of both IPS and the Firewall.

In your case, I believe you are talking about risk tracer, which will show the source of attacks.

See this KB

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

Article:TECH94526  |  Created: 2009-01-11  |  Updated: 2012-10-08  |  Article URL http://www.symantec.com/docs/TECH94526

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Vikram Kumar-SAV to SEP's picture

The number under Group or Location use count you will see is the number of groups where IPs Policy is applied.

NTP is combination for Firewall and IPS.So unless you have withdrawn the policy from any group the Policy is applied on the groups. The singature for NTP that you see is for IPS as for Firewall there is would be no definition/signature.

If you are using SEP 12.1 then Post Scan, DOS, Anti-mac spoofing are all part of Firewall Policy.

When you pull the report for Top Source of Attack, go to advanced, Event Type and select Only Intrusion Prevention to check if its actually IPS Logs or some other logs.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Eyal's picture

Hi Vikram,

Yes I did what you suggested and selected only IPS for the TOP Sources of Attacks and it displayed a lot data.

SO even though IPS is not assigned to any Groups or Locations on the Policies Tab, It is active on the machines because we have installed the NTP feature??

Rafeeq's picture

There are few policies which are enabled by Default

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

 

http://www.symantec.com/business/support/index?pag...