Firewall in Symantec Endpoint Protection
Created: 21 Jan 2013 | 26 comments
I have a couple of issues with the Symantec Endpoint, I have exported a Install package from the Symantec Endpoint Manager... And i added a Client Install Feauture Set, I unticked the Network Threat Protection See:
And i deployed the msi with the Group Policy to a bunch of Computers, but it seems as that the Nework Threat Protection installed anyway... See below... And when i get to the control panel (Action Center) i see that Symantec is running as the firewall.. but i want to use the Windows Firewall and not the symantec? What am i doing wrong?
Discussion Filed Under:
Comments 26 Comments • Jump to latest comment
Hello,
Once the installation is completed, please restart the machine and check again.
Secondly for Enabling Windows Firewall, check these settings in SEPM firewall policy.
1.Login to SEPM.
2. Click on Policies.
2.Click on Firewall. Highlight the policy in the right pane. Click on Edit the policy.
3. In Windows Integration tab, choose "Do Nothing" in Disable Windows Firewall.
Secondly, check these Articles:
Windows firewall is disabled after migration to a 12.1 RU2 client without NTP firewall feature
http://www.symantec.com/docs/TECH200415
How to disable windows firewall in Windows server 2008 R2 64 bit by setting in SEPM
http://www.symantec.com/docs/TECH183375
Using (Enabling) Windows Firewall with SEP NTP installed
http://www.symantec.com/docs/TECH197660
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Already done these steps, its still not working
Thanks
Shane
Hello,
Could you please create a New package (without NTP) in .msi package (by unchecking the "Create a single .exe file for this package), check this Article:
http://www.symantec.com/docs/TECH165483
Once done, please check the setaid.ini to confirm if the NTP is getting installed in the package. Check this Article -
http://www.symantec.com/docs/TECH102668
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
The other thing to note is if the firewall piece is not installed it should be in use.
In the firewall policy on the Windows Integration tab, for Disable Windows Firewall set it to No Action
SEP Knowledge Base
Endpoint SWAT
HI, what is the version of SEPM and the version of the package that you deployed?
If the package was created without NTP feature - after installation this feature should no appear at all - can you try recreating the install package again - before that please create a new Client Install Feature Set (again without Firewall) just to exlude policy corruption - maybe there was some problem here.
I recreated the the installation package once again with the NTP, and the Application device disabled.It looks like it still something wrong, the NTP still gets installed.. There is something weird going on here.. :
Its getting on my nerves :)
Hello,
Could you please create a New package (without NTP) in .msi package (by unchecking the "Create a single .exe file for this package), check this Article:
http://www.symantec.com/docs/TECH165483
Once done, please check the setaid.ini to confirm if the NTP is not getting installed in the package. Check this Article -
http://www.symantec.com/docs/TECH102668
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
I did do a .msi package but it still doesn't work.!
Here is the setaid.ini from the .msi package.. as we can see here the NTP is disabled?
; NOTE: Do not edit the config below
[PREDEFINED_SMC_CONFIG]
AppType=105
VendorID=4096
PlatformType=WIN64BIT
PackageChecksum=2ad33d83ea714bfa8593bfd4f540b2b9
; User configureable options
[CUSTOM_SMC_CONFIG]
InstallNewInstanceOnly=0
InstallUserInterfaceLevel=s
KeepPreviousSetting=1
InstallationLogDir=%TEMP%\SEP_INST.LOG
DestinationDirectory=
LaunchIt=1
AddProgramIntoStartMenu=0
OptOutRepSubmission=1
UIRebootMode=0
RebootSchedule=NOW
AutoReboot=true
RebootRandomize=true
RebootPromptMessage=The Symantec Endpoint Protection installation requires this computer to restart.
SnoozeInterval=60
RebootDisplayTimeout=60
RebootMethod=SERVER
RebootMinutes=180
Countdown=5
RebootDay=TODAY
RebootRandomizeHours=2
PromptType=COUNTDOWN
RebootMaxSnoozeCount=3
RebootPromptUser=true
HardReboot=true
[LU_CONFIG]
ServerProduct=SESM AntiVirus Client Win64
ServerLanguage=English
ServerVersion=12.1.1000
SequenceNumber=0
ServerMoniker={43EEFBAE-0AB4-F6D4-0039-BF120CC562DF}
ClientProduct=SESC AntiVirus Client Win64
ClientLanguage=English
ClientVersion=12.1.1000
ClientMoniker={D410C452-0AB4-F6D4-0039-BF12E41A5E54}
SequenceTag=PATCH
ShortName=spcAvClient64en_12_1
DisplayName=Symantec Endpoint Protection Win64 12.1.1000.157 (English)
CONNECT_LU_SERVER=0
[FEATURE_SELECTION]
Core=1
SAVMain=1
Download=1
OutlookSnapin=1
NotesSnapin=0
Pop3Smtp=1
PTPMain=1
TruScan=1
DCMain=0
NTPMain=0
Firewall=0
ITPMain=0
/Shane
Yes, we are experiencing the same issues.
What version of 12.1 is this happening on?
SEP Knowledge Base
Endpoint SWAT
SEPM 12.1.1000.157 RU1
The version of the packed i deployed is 12.1000.157
Alright i am gonna try and create a new Client Install Feature, and install the Symantec again..
Thanks
Shane
Could it be picking up an inherited policy?
It's possible, you would need to check though to confirm.
SEP Knowledge Base
Endpoint SWAT
HI,
Check the client group where sep client are showing.
Client Group -> Install Package...
any client package available
How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations
http://www.symantec.com/business/support/index?page=content&id=TECH90936
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
All the the deployed clients goes into the OF group, and in this group, i have withdrwan the firewall and intrusion prevention..
The policy assigned to the client group should not matter - even if FW policy is assigned here but the component is not installed on client it would not apply and certainly it would not force the client to install the feature.
Are these target computers clean installs or did they have already some older SEP version installed previously?
If there was, please have a check if in the client install setting the opiton: "Maintain existing client features when upgrading" is unchecked.
Have a look here:
http://www.symantec.com/docs/TECH90936
The computers are clean installs :)
/Shane
Application Control will show up under Network Threat Protection.
This is as designed.You can also see this by going to "add remove programs" and clicking modify,
Regards
Torb
Hi
What is the version you are installing ?
Regards
The version of the packed i deployed is 12.1000.157..
So I have tried all kind of workaround, still dont get it to work.. The only thng that work is when i install the symantec endpoint client, i have to on the control panel/add remove programs and modifie the installation..To not have the NTP installed..?? How do i not get the NTP installed from the beginning from the deployed MSI.. I tought the setaid config file, helped with this?
/Shane
shaniie - have you tried already to recreate the "Client Install Feature" policy - we discussed that before but I don't se eyour update on that. Can you confirm?
Can you check one more thing - for a test deploy a install package with a feature set from "Basic Protection for Servers" - this should have only the AV installed - does after deployment the Firewall gets installed here as well?
hey Sebastian,,
I did recreate the Client Install Feature, but it still does not work :(
And i did the Basic Protection for servers, same thing here..The firewall gets installed anyway
/Shane
Are you deploying those package by Push Deployment - if yes can you manually copy the package to the target machine and execute - does the firewall component get installed as well?
I was thinking here about the posibility that the package you are sending out from SEPM is not the same as a package that arrives at target machine - some cached version of older package or so... but not sure if this is possible.
No no Push Deployment, i tried that tooo but still doesn't work..
And I am using Group Policy Sep64.msi to push the install out to clients,, same thing here the firewall gets installed dont matter how much i try with teh basic server install feature..
And i try manually to install the client but all features get installed anywayss. the only thing i can do to disable the firewall is to do i maanually from the add remove programs/modify...
I tried restarting the SEPM service on the server, and then exporting a new package, but same o same?
I dont want to manually go and modify all the sep clients on all computers, to disable the NTP...
Any more help will be really appreciated..
/Shane
Hello,
I agree with the above comments.
In addition to above, could you also try installing an Unmanaged client setup from the SEP 12.1 DVD??
Symantec_Endpoint_Protection_12.1_Full_EN\SEP\Setup.exe
This unmanaged client can be later turned to managed by simply replacing the sylink.xml file.
http://www.symantec.com/docs/TECH157585
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Would you like to reply?
Login or Register to post your comment.