Video Screencast Help

Follow-up: a way to document Symantec Endpoint Protection 11 firewall rules

Created: 07 May 2012 • Updated: 07 May 2012 | 3 comments

It was a few years ago when I posted this:

http://www.symantec.com/connect/forums/way-document-firewall-rules-sep-11

 

Now what we do is slightly different depending on whether the person is a user of SEPM (an administrator) or one of the Security team, who administrates SEP itself.

If it's an end-user, the same basic process is right, with a twist, I would now recommend that they use XML Explorer instead of Excel to view their rules. XML Explorer makes it much easier to understand and see the raw rules. I could really use a tool though to parse up the XML and make it look like the ruleset you have when you're inside SEPM.

But if it's an administrator of SEPM, we have another cool option, since we have behind-the-scenes access to the files which the clients are downloading... This access allows us to search for IP addresses and subnets in use, so when they are retired or decommissioned then we can be sure they are gone. (Please let me know if you know of a better way though.)

To search the rules (we have some scripts) here are the essentials:

On a web front end server,

cd "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent"

The subdirectories contain XML which is not exactly sent to the client, what the clients actually get seems to be "compiled".

In each directory you can do a "grep" or find for:

IpAddress

or

"SubNet NetAddr"   if you're looking for subnets

If you want the name of the group the XML applies to, grep for "Path"

Warning: If you copy scripts to the agent directory they may hang because the directories and files seem to be rebuilt on a schedule (5 minutes?) so it's a race condition to get in, get your data, and get out of there. But reading the files this way seems to have no bad side-effects.

I hope this helps someone!

 

 

Comments 3 CommentsJump to latest comment

.Brian's picture

Have you seen this:

 

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

http://www.symantec.com/business/support/index?page=content&id=TECH180569&actp=search&viewlocale=en_US&searchid=1350076520056

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohan Babu's picture

Good one 

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

Ashish-Sharma's picture

HI,

Check this artical

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

http://www.symantec.com/docs/TECH180569

 

AttachmentSize
Default_FW_Rules.xls 31.5 KB

Thanks In Advance

Ashish Sharma