Endpoint Protection

We need to block a specific group of users who work remotely from home and from public wifi hotspots from accessing some websites using their corporate laptops. Only block the specified sites.
We need them to be blocked regardless to whether they type in the website URL or the IP address into the browser address bar.

How is this done?

Open Symantec Endpoint Protection Manager

Click on Policies button

Under view Policies > Select Firewall

Edit the existing Firewall Policy

Click Rules

Right Click Rule Number 2 and Select Add a Blank Rule

Right Click Under the Action and Set it to Block

Right Click on the Host Select Edit

Under Specify host names or addresses of computers that trigger the rule Select : Local /Remote

Under Remote Click Add Under Type Select DNS domain

Under DNS Domain type the name of the Website e.g. : *.facebook.com

Click OK and close the Host List Window

Click OK and close the Firewall Policy Window

Assign the policy to the desired group

Title: 'How to block/allow website access using the Symantec Endpoint Protection Manager custom Intrusion Prevention Signature policy?'
Document ID: 2008070803545448
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008070803545448?Open&seg=ent



Title: 'How to block all website and allow only certain websites using Network Threat Protection Firewall rule.'
Document ID: 2009072816443448
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009072816443448?Open&seg=ent

 

Note : Make sure on all the computers you have NTP installed

Be VERY VERY careful doing that as the way SEP works, it can and often will block GOOD sites due to the use of AKAIMI........
IP addresses will "float" or be shared.
I've seen symantec.com blocked here because of using *.facebook.com in the firewall.
SEP resolves the IP address and blocks it............ then when they go to symantec.com, who also uses AKAIMI, they find symantec.com blocked because it now resolves to the same address but SEP has the other address, it's a mess here.
Our main provider for the State of Iowa, ICN (Iowa Communications Network) has an AKAIMI server - so on our way out, so to speak, we hit their server and guess what? I had to drop that firewall rule because SEP blocked walmart.com and bestbuy.com as well as facebook, twitter and myspace - even though I was doing it by DOMAIN.
SEP needs to be reconfigured somehow - we can't use domain blocking here but instead had to create custom IPS signatures to look into the packets for the domain names.
The kicker there is some packets are kicked out with IPS, too, because of all the ads and referrals.
Bottom line, your best bet in the company is a hardware firewall or PROXY like websense, otherwise, test the heck out of SEP before making it production - run it in log-only mode (do not block but DO log in the traffic log)

ShadowsPapa,
We cannot use a hardware firewall because this is for remote users who travel around with laptops.  A hardware firewall or proxy in the office will do nothing for them when they connect to the internet via a hotel or wifi hotspot.

Right now the computers only have AV/AS installed.
Do we need to add both NTP and Firewall or only NTP?

You will need to ADD only NTP for the firewall. 

I just tried to assign the brand new firewall policy to the group containing the laptops (Active Directory Assigned group), but the sub OU we want to assign it to is grayed out.  How do we make the firewall policy assignable to that specific group?

 Go to the group- hilight policies and uncheck "Inherit policies from parent group"
Or else you will have to assign the policy on the parent group it will be inherited on the child groups.

Policy is not blocking access to the website or IP address.

I created a brand new blank policy, added both the IP addresses and the dns domain names I wanted to block, moved it to the #1 position in the list of rules, assigned it to the group and created a new install package with AV/AS and NTP.
I installed the package with NTP on a test machine belonging to the group, but I can still get to the website on that machine.

 Did you reboot the machine after installing NTP. as NTP gets activated only after reboot.

I rebooted and the site is still available through the browser.

 can you post the screenshot of the policy you have created..
also check this link might be helpful
http://service1.symantec.com/support/ent-security.nsf/docid/2009012915443648

 also make sure that the policy is getting applied to the client machine.. Check the policy serial no on client and the server both.

Are you sure antivirus, antispyware and NTP are all that's needed to be installed on the client?

 Yup..to be more Specific you only need Network Threat Protection bcoz that is the firewall and it is not dependent anywhere on PTP.

the only component dependent is Application and Device control you need NTP for application and device control to work.

It started working with the first set of instructions above.

sir vikram, why some symantec tech suggested that if you are creating a policy in application and device control it must be NTP and PTP are both installed

 B'coz Application and Device Control is dependent on NTP and it is a component of PTP
So you need both and AV & ASpy is a must component
So in short you need all features.