Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Firewall setup

Created: 13 Dec 2007 • Updated: 21 May 2010 | 14 comments
j-j's picture
Can anyone point me to a firewall setup best practices document?  I have had no luck finding one but it seems like that should be available!

Comments 14 CommentsJump to latest comment

JimW's picture
We just created one and will be posting it to an external site soon. I will update this thread when it is live.
 
Regards,
 
JimW

Jim Waggoner Director Product Management, Symantec Endpoint Protection, Enterprise Security Group, Symantec

JPin's picture

I am also looking for a firewall best practices document for UNMANAGED SEP11 clients.  We have remote users/travelers that will very rarely connect directly to the corporate network.  We want to give them guidance on how best to config so that applications will ask and the client will remember the answers, similiar to Zone Alarm, etc.  These clients will depend on liveupdates via hotel type internet access.  Thanks!

Alan Toh's picture
The default policies settngs for SEP firewall component tends to mess up your hardware firewall policies. Best if you don't install at all or only mininum.
 
Add a default rule in the Firewall Policy allowing Filesharing, the quickest solution would be as follows:
Edit the Firewall Policy
Change the 'Block local file sharing' rule to allow instead
Check the 'Enabled' box
Change the name to 'Allow local file sharing'
Change the 'Action' to 'Allow'
Move the rule up above the Blue Line
Ensure there are no rules above it that could be blocking the traffic. (The firewall works through the rules in a 'top to bottom' sequential method)
Click OK to exit the Policy
Either manually update the client policies or wait for the next heartbeat to occur.
Note - If you wish to specify 'Hosts' within the Firewall rule, please ensure all the IP Ranges are included under Local AND Remote (Or Source/Destination). This covers both direction of traffic indefinitely
JPin's picture
Thanks for your reply.  Actually, what I was trying to convey was that I was expecting that an unmanaged client could be configured similiarly to a software firewall product such as ZoneAlarm, where applications that haven't been seen by the firewall before pop a question to the user asking if the communication is permitted, and optionally storing the answer so that future communications would automatically be permitted (or blocked as the case may be).  On my unmanaged client, the screen is blank.  How can I set up the unmanaged client, without a console, to where SEP11 will ask me if communication should be permitted or blocked, and it will remember the answer?  I'm just not seeing this capability in the software or in the help screens/knowledgebase.  Thanks!
j-j's picture
Just to let you know, I am regularly looking for your response about where this can be found.
 
j-j's picture
JimW please let me know where this file is located.
 
j-j's picture
do you think they relocated him?
Mr.Wizard's picture

I also would like to know how to activate the Application-Control-Notifications in this software.

Sygate Firewall Pro was one of the best application firewalls I have ever used, and I can't believe that Symantec butchered it as they did.

From my understanding, you can enable it with SEPM for a managed client, but an un-managed client is unable to use this feature. Some people stated that all you need to do is install SEPM, but to my knoledge this does not work, since SEPM does not talk to un-managed clients, therefore you would have to deploy a managed client defeating the purpose of having an un-managed one, which I would prefer having in certain situations.

Can we just get a final straight-forward answer on this topic for once? No more speculation please. I am currently evaluating this software, and if this feature cannot be enabled I am going somewhere else.

Message Edited by Mr.Wizard on 12-27-2007 09:53 PM

Mr.Wizard's picture

Well as it would seem, I have a solution.

To create an unmanaged client:

Use SEPM to deploy client
Set group unmanaged (road warrior)
Change Location Specific Settings to Client control
Create new Liveupdate Content Policy
Change the update source to Symantec servers.

If you want application control change the firewall rule for "Allow Applications" from "allow" to "ask".

Then have the client to do one last update from your server and your good to go.

I have not found any way of changing the "Allow Applications" rule from within an unmanaged cdrom install though. I am currently seeing if there is a setting in the xml files that can be changed or something.

Mr.Wizard's picture

UPDATE:

Seems that you have to push the "Allow Applications" rule above the blue line, for it to migrate to a client before giving the client full control.

Anything below the blue line gets overwritten on the client side.

Will we see an updated Firewall:Rules UI for the client in future versions? Where we can add more detailed rules like the "Allow Applications=ask"??

It would certainly make my day..

JPin's picture

I agree - it seems like the basic use case of an unmanaged client (mobile road warrior) didn't include basic firewall configuration features.  It shouldn't be too difficult to slip this into an MR release as the bones are all there.  But I am disheartened that unmanaged clients were given short shrift rather than full access (with appropriate permission) to features found in managed clients.

0WN3D's picture
Have you tried creating a package that has a "Manager" and also the relevant update policies for when the "road warrior" systems are not on the LAN?  i.e. LiveUpdate to Symantec public site.  If it's a managed client, there should be no problems.  You can export the package from the console as a single .exe.
j-j's picture
Since JimW seems to have been misplaced can another Symantec employee point me to this file he spoke of?
 
KT's picture
 
Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Document ID: 2007121714495348