Endpoint Protection

Greetings!

I am running SEPM 11.0.4, and I have been tasked with 'Disabling USB Devices' -->  I need 'Application and Device Control'.  Currently we have only been using the Antivirus/AntiSpyware Function of the SEP Suite.  We do not employ the firewall, intrusion prevention or the Application and Device Control.

*In order for Application and Device Control to work, the Network Threat Protection piece MUST be installed...

OK.....but my conflict is, I do NOT want the firewall or intrustion detection components to be turned on......?

How do I configure the group to allow App/Dev Control..........while leaving all the components of the Firewall/Intrusion Detection wide OPEN.....or OFF?

--  Originally I thought that I could install it, but not apply any firewall/intrusion policy to the group........but it seemed like it did anyway.........so do I need to build open policies instead??

* inheritance is OFF before you ask...

Any input would be greatly appreciated!

https://www-secure.symantec.com/connect/forums/firewall-and-intrusion-prevention

Withdraw the Policies or Uncheck Enabled this policy for Firewall and Intrution Prevention. 

Thanks for the quick response!

That is what I originally did, I had no policies..........but started to receive a bunch of errors from my SNMP managmeent station for host unreachable, DHCP service is down, etc......

now I really did not give it too much time to stabilize because it was a production system..........but after getting those errors I immeditatly reverted back to my old config.

So if I had no firewall policies, then these SNMP errors were not a result of the firewall..........?  Could it just have been a network blip from the install?  Which leads me to my next question................when you install the network protection component..........does it interrupt the network?

Hello Dave_G
Network Protection will not interrupt your network connection if you configure it.
what about block flash disks with GPO? is it good idea for you if you cannot use application and device policy?

Regards.
Fatih

Install all the clients with NTP and device control ,Create a allow all rule for Firewall. For this
Do as follows
create a new custom Client Install Feature Set
Open the Symantec Endpoint Protection Manager console.
On the Admin tab, under Tasks, click Install Packages.
The current default client installation packages appear on the right.
Under View Install Packages, click Client Install Feature Sets.
Under Tasks, click Add Client Install Feature Sets.
Specify the name you would like the Client Install Feature Set to have.
Give the Client Install Feature Set a description.
Select the components you want to include in the install package from the following list:
AntiVirus and AntiSpyware Protection
   AntiVirus Email Protection 
   Microsoft Outlook Scanner 
   Lotus Notes Scanner 
   POP3/SMTP Scanner
Proactive Threat Protection
   Application and Device Control
Network Threat Protection
   Network Threat Protection
 
Assign the package to groups 

Click Admin > Install Packages.
In the lower-left pane, under Tasks, click Upgrade Groups with Package.
In the Welcome to the Upgrade Groups Wizard panel, click Next.
In the Select Client Install Package panel, all existing client packages are listed in the drop down box. Select one of the following:
Symantec Endpoint Protection <appropriate version>.
Click Next. 
In the Specify Groups panel, check one or more groups that contain the client computers to be migrated, then click Next.
In the Package Upgrade Settings panel, check Download client from the management server.
Click Upgrade Settings.
In the Add Client Install Package dialog box, on the General tab, specify not to keep existing client features , then configure a schedule for when to migrate the client computers. Under the Notification tab, specify a message to display to users during the migration. 
If the clients in the group run a version of Symantec Endpoint Protection previous to MR2, turn off scheduling. Scheduling is on by default when a new client install package is added to a group. If scheduling is turned on, the upgrade fails. To turn off scheduling, in the Add Client Install Package dialog box, uncheck Upgrade Schedule.
For details about settings on these tabs, click Help.
Click OK.
In the Upgrade Groups Wizard dialog box, click Next.
In the Upgrade Groups Wizard Complete panel, click Finish.

-------------------------------------------------------------------------------------------------
Create a allow all rule in firewall and keep it as the first rule
Note:After checking in a test seup you can remove it and can add req. rule so that u can enjoy the advantage of NTP also.
For more info refer
How to add a rule using the"Add Firewall Rule Wizard"

Keep the groups in server control mode .You can do this in Clients----> <Prefered group> -->policies ----->Location specific settings---->Client user interface control settings

You cannot have an application and device control wiithout installing NTP due to the Sysplant driver dependability... And by withdrawing a policy, default set of rules are applied for that component... So what I'd suggest you is...

1. Install with NTP.
2. Create a new blank rule in Firewall policy and move it to the top, making it rule 1.
3. Change the 'action' to allow.
4. For IPS, you can uncheck the option "Enable IPS".

By doing so, all ports are left open but however a scan will be done on the packets which would eventually introduce a small delay in n/w traffic.

Cheers,
Visu.

Firewall Rule or not?

OK..........seems like I am getting some mixed answers on whether or not it is necessary to have a rule in place to keep the firewall disabled...

So what do you think is best practice? 

Leave an open rule?  Or withdraw the rule entirely?

In simple terms what you can do is , withdraw the FW and IPS policy assigned to your group

because you cannot remove the component , needed to block your USB
so just withdraw those two policies, services will be there but no policy telling them what to do. so its all ignored.

policies.
select fw policy
on the right hand side click the default policy
now at the bottom you wil get an option to withdraw, check all your groups..do the same for IPS as well.

 Withdrawing the rule and Adding Blank rule will mean the same thing.