Video Screencast Help

Firewall Exception on Managed client

Created: 03 Dec 2011 • Updated: 04 Dec 2012 | 9 comments
This issue has been solved. See solution.

I am having trouble using the email feature of Shadow Protect on a client. I know that my SMTP Email server is working and the server responds to the Shadow Protect email test by connecting, but the response from the SMTP is lost. I'm pretty sure the port is getting blocked by my firewall on the client.

How do I create a firewall exception for this client if it is managed?

Is it possible to make this exception specific for this client.


Comments 9 CommentsJump to latest comment

P_K_'s picture

Do you want to create an exception for the port or the application.?

Go the firewall policy and create a new policy and there you can define the exception that you want to create

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

JerryF's picture

Not sure what ports need to be opened I will try first with the application.

I do not see how to manage exceptions on the client. I assume this needs to be added on the Management Console at the server?

Mithun Sanghavi's picture


What makes you think that Symantec Endpoint Protection's Network Threat Protection (Firewall) is blocking the ports or the application??

Do you have the SEP client installed with  Network Threat Protection (Firewall) on the same server??

If yes, Could check the Traffic Logs / Packet Logs from the Symantec Endpoint Protection Client, if there is any ports being blocked??

This could be done by: 

Opening SEP client> View Logs > Click on View Logs Button; Next to Network Threat Protection and Traffic Logs / Packet Logs

If there is nothing being blocked, then it would be Windows Firewall, Try disabling the same and check if the issue is getting resolved.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

JerryF's picture

>>What makes you think that Symantec Endpoint Protection's Network Threat Protection (Firewall) is blocking the ports or the application?? 

Acronis B&R email works without a problem on this machine

I can send emails to the Network without a problem from this machine

Windows Telnet Client can send emails from this machine

>>Opening SEP client> View Logs > Click on View Logs  

SEP client Traffic logs show that traffic is getting blocked, but Packet logs show no blocks

James-x's picture

Hello JerryF,

If you want to create a firewall rule which affects only this one managed client, you have two options.

  1. Put this client in a unique group in the SEPM and then apply your customized firewall policy to only this group.
  2. Add a customized firewall rule to the client itself (as opposed to adding the rule to the policy in the SEPM.)

I am going to assume you will want option 2 and will provide instructions for that. If you need something different, let me know. I am also going to assume you are using SEP 11.0.x (as opposed to SEP 12.1), since you were not specific.

By default, a managed SEP client will not allow a user to create their own firewall policies from within the SEP client GUI. You will need to change the client interface control settings from within the SEPM to give yourself permission to to modify the client-side firewall rules. Follow these steps:

  1. Login to the SEPM
  2. Click Clients
  3. Select the group that your client is in
  4. Click Policies (the tab at the top)
  5. Remove policy inheritance (checkbox at top) if necessary
  6. Expand Location-specific Settings
  7. Click Server Control (it will open a new dialog box)
  8. Select Client control from the list
  9. Click OK
  10. Wait for the SEP client to pick up the policy change. (You can speed this up by right-clicking the SEP system tray icon on the client and clicking Update Policy.)

After you have made this change, you can now modify the client-side firewall rules using the following steps.

  1. Double-click the SEP system tray icon
  2. Click Options next to Network Threat Protection
  3. Click Configure Firewall Rules...
  4. Click Add
  5. Fill out the rule information as you see fit and click OK.

I suggest creating an Allow All rule (which, as the name suggests, allows all network traffic in or out of the box) and bumping it to the top of the rule list in order to confirm that this fixes the problem. If an allow all rule does NOT fix the problem, then any more specific rule (i.e., restricted to a certain port, protocol, or application) most certainly won't fix it either. Thus, testing the allow all rules can save you some time in the end.



The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Simpson Homer's picture

Creating a firewall policy

The Symantec Endpoint Protection includes a default Firewall policy with default firewall rules and default firewall settings for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments, where limited boundary protection is available.

When you install the console for the first time, it adds a default Firewall policy to each group automatically.

Every time you add a new location, the console copies a Firewall policy to the default location automatically. If the default protection is not appropriate, you can customize the Firewall policy for each location, such as for a home site or customer site. If you do not want the default Firewall policy, you can edit it or replace it with another shared policy.

When you enable firewall protection, the policy allows all inbound IP-based network traffic and all outbound IP-based network traffic, with the following exceptions:

  • The default firewall protection blocks inbound and outbound IPv6 traffic with all remote systems.


    IPv6 is a network layer protocol that is used on the Internet. If you install the client on the computers that run Microsoft Vista, the Rules list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6.

  • The default firewall protection restricts the inbound connections for a few protocols that are often used in attacks (for example, Windows file sharing).

    Internal network connections are allowed and external networks are blocked.

Table: How to create a firewall policy describes the tasks that you can perform to configure a new firewall policy. You must add a firewall policy first, but thereafter, the remaining tasks are optional and you can complete them in any order.

Table: How to create a firewall policy



Add a firewall policy

When you create a new policy, you give it a name and a description. You also specify the groups to which the policy is applied.

A firewall policy is automatically enabled when you create it. But you can disable if you need to.

See Enabling and disabling a firewall policy.

Create firewall rules

Firewall rules are the policy components that control how the firewall protects client computers from malicious incoming traffic and applications. The firewall automatically checks all incoming packets and outgoing packets against these rules. It allows or blocks the packets based on the information that is specified in rules. You can modify the default rules, create new rules, or disable the default rules.

When you create a new Firewall policy, Symantec Endpoint Protection provides default firewall rules.

The default firewall rules are enabled by default.

See Setting up firewall rules.

Enable and customize notifications to users that access to an application is blocked

You can send users a notification that an application that they want to access is blocked.

These settings are disabled by default.

See Notifying the users that access to an application is blocked.

Enable automatic firewall rules

You can enable the options that automatically permit communication between certain network services. These options eliminate the need to create the rules that explicitly allow those services. You can also enable traffic settings to detect and block the traffic that communicates through NetBIOS and token rings.

Only the traffic protocols are enabled by default.

See Automatically allowing communications for essential network services.

If the Symantec Endpoint Protection client detects a network attack, it can automatically block the connection to ensure that the client computer is safe. The client activates an Active Response, which automatically blocks all communication to and from the attacking computer for a set period of time. The IP address of the attacking computer is blocked for a single location.

This option is disabled by default.

See Automatically blocking connections to an attacking computer.

Configure protection and stealth settings

You can enable settings to detect and log potential attacks on the client and block spoofing attempts.

See Detecting potential attacks and spoofing attempts.

You can enable the settings that prevent outside attacks from detecting information about your clients.

See Preventing stealth detection.

All of the protection options and stealth options are disabled by default.

Integrate the Symantec Endpoint Protection firewall with the Windows firewall

You can specify the conditions in which Symantec Endpoint Protection disables the Windows firewall. When Symantec Endpoint Protection is uninstalled, Symantec Endpoint Protection restores the Windows firewall setting to the state it was in before Symantec Endpoint Protection was installed.

The default setting is to disable the Windows firewall once only and to disable the Windows firewall disabled message.

See Disabling the Windows firewall.

Configure peer-to-peer authentication

You can use peer-to-peer authentication to allow a remote client computer (peer) to connect to another client computer (authenticator) within the same corporate network. The authenticator temporarily blocks inbound TCP and UDP traffic from the remote computer until the remote computer passes the Host Integrity check.


You can only view and enable this option if you install and license Symantec Network Access Control.

This option is disabled by default.

See Configuring peer-to-peer authentication

James-x's picture


In the future, please link to relevant documents rather than copy and pasting them here. It is too much text and decreases the readibility of the thread.



The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Ashish-Sharma's picture
Hi JerryF 

Kindly Ensure your Symantec Server ip added in Exchange server SMTP mail relay this setting after you will be receive mail.

Thanks & regards

Ashish Sharma

Thanks In Advance

Ashish Sharma

Simpson Homer's picture; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(246, 246, 246); padding-right: 29px; margin-right: 5px; font-weight: 700; line-height: 13px; color: rgb(0, 83, 255); font-family: helvetica, arial, clean, sans-serif; font-size: 12px; background-position: 100% 0px; background-repeat: no-repeat no-repeat; ">James-x

Would not do that in future. Thankssmiley