Endpoint Protection

I would like to install SEP 11 with IPS and application control but I don't want the firewall. I was told by a Symantec rep that it was required but I could make a policy that allows everything.

First, is this true and second, if not, would any of these work to not use the firewall but still use IPS and app control? #3 would be preferred.

1. For the client group, withdraw the firewall policy
2. Have a firewall policy for the client group but uncheck "Enable this policy"
3. I have exported the all features package but could I edit setaid.ini and change Firewall=1 to Firewall=0

Thanks

Scratch #3. Received the following error:

SAVINST: "Firewall" must be enabled for "DCMain" to be selected.

So maybe what the rep meant was you had to install the feature but maybe #1 and 2 would still work fine?

#1 should work fine. Another option is to create a fw policy that allows all traffic. That would give the option to log certain types of traffic if you wished and would lay the foundation for putting in blocking rules later if needed.

IPS engine works with firewall..both work hand by hand you cannot have just one of them.Together they are Network Threat Protection. 

I understand that they do work together for things like detecting port scanning but are you saying that in order to use any part of IPS, the firewall must be enabled? Is there any information/documentation that talks about this dependency and what the minimum rule set for the firewall is?

 Create a blank firewall rule or one that allows any <-> any communication.  That should be suficient.  


I'm not sure if #2 would apply, but it's worth a shot and let us know if it works!

For IPS to work you need to install Firewall (Network Threat Protection) feature. The same stands for App & Dev Control.
The best way to use IPS and ADC without FW is to withdraw firewall policy for the group.
This way FW will switch to pass-all mode and only traffic that will be blocked will be the one detected by IPS.

Setaid.ini is used when you are installing from *.msi and it will control what would be installed not what will be enabled. That's why you get the error.

# 2 Should work!

 Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

Network Threat Protection consists of:

• Firewall
• IPS
• Application and Device Control

NTP is not the firewall itself, but the overall network protection. If you want IPS and App/Device control but not the firewall, then withdraw the firewall policy or disable it. Either one will work just fine. The default firewall doesn't block a whole lot to begin with if you look at it; it can really come in handy to block specific virus activity if you find yourself having an infection event. You can block all network activity to/from a particular file such as a virus so it can't get out on the internet and update itself, and/or block any traffic meant to infect a system. If it's a vulnerability, you can "head it off at the pass" so to speak and block the port that it uses before any of your machines are infected - much quicker than you'll be able to patch any of your client machines.