Follow-up: a way to document Symantec Endpoint Protection 11 firewall rules
It was a few years ago when I posted this:
Now what we do is slightly different depending on whether the person is a user of SEPM (an administrator) or one of the Security team, who administrates SEP itself.
If it's an end-user, the same basic process is right, with a twist, I would now recommend that they use XML Explorer instead of Excel to view their rules. XML Explorer makes it much easier to understand and see the raw rules. I could really use a tool though to parse up the XML and make it look like the ruleset you have when you're inside SEPM.
But if it's an administrator of SEPM, we have another cool option, since we have behind-the-scenes access to the files which the clients are downloading... This access allows us to search for IP addresses and subnets in use, so when they are retired or decommissioned then we can be sure they are gone. (Please let me know if you know of a better way though.)
To search the rules (we have some scripts) here are the essentials:
On a web front end server,
cd "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent"
The subdirectories contain XML which is not exactly sent to the client, what the clients actually get seems to be "compiled".
In each directory you can do a "grep" or find for:
"SubNet NetAddr" if you're looking for subnets
If you want the name of the group the XML applies to, grep for "Path"
Warning: If you copy scripts to the agent directory they may hang because the directories and files seem to be rebuilt on a schedule (5 minutes?) so it's a race condition to get in, get your data, and get out of there. But reading the files this way seems to have no bad side-effects.
I hope this helps someone!