Video Screencast Help

Need Help: SEPM Firewall Policies for Single Clients

Created: 31 Oct 2012 • Updated: 01 Nov 2012 | 17 comments
This issue has been solved. See solution.

Hello,

I'm currently trying to figure out how to add an exception to a managed client running SEP 11x on a Windows system. The issue resides with an application getting blocked by Network Threat Protector and/or the firewall. I'd like to add the exception into a policy and ONLY apply it to that system and not the other systems within its OU. The reason being is that we're trying to keep the firewall exception rules to a minimum since going over 40 rules apparently causes major performance issues on clients. Currently we are at 39 rules and we cannot add another. So how can I add an exception for an application to communicate over the network to only one system without applying it to others within its OU?

Thanks guys!

Comments 17 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

# EDIT 

If you want to create a firewall rule which affects only this one managed client, you have two options.

  1. Put this client in a unique group in the SEPM and then apply your customized firewall policy to only this group.
  2. Add a customized firewall rule to the client itself (as opposed to adding the rule to the policy in the SEPM.)

I am going to assume you will want option 2 and will provide instructions for that. If you need something different, let me know. 

By default, a managed SEP client will not allow a user to create their own firewall policies from within the SEP client GUI. You will need to change the client interface control settings from within the SEPM to give yourself permission to to modify the client-side firewall rules.

Follow these steps:

  1. Login to the SEPM
  2. Click Clients
  3. Select the group that your client is in
  4. Click Policies (the tab at the top)
  5. Remove policy inheritance (checkbox at top) if necessary
  6. Expand Location-specific Settings
  7. Click Server Control (it will open a new dialog box)
  8. Select Client control from the list
  9. Click OK
  10. Wait for the SEP client to pick up the policy change. (You can speed this up by right-clicking the SEP system tray icon on the client and clicking Update Policy.)

After you have made this change, you can now modify the client-side firewall rules using the following steps.

  1. Double-click the SEP system tray icon
  2. Click Options next to Network Threat Protection
  3. Click Configure Firewall Rules...
  4. Click Add
  5. Fill out the rule information as you see fit and click OK.

I suggest creating an Allow All rule (which, as the name suggests, allows all network traffic in or out of the box) and bumping it to the top of the rule list in order to confirm that this fixes the problem. If an allow all rule does NOT fix the problem, then any more specific rule (i.e., restricted to a certain port, protocol, or application) most certainly won't fix it either. Thus, testing the allow all rules can save you some time in the end.

Also, check these Articles:

Creating a firewall policy 

http://www.symantec.com/docs/HOWTO54889

Configuring the Symantec Endpoint Protection Firewall to filter traffic based on whether its source/destination is from a particular domain

http://www.symantec.com/docs/TECH131681

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

http://www.symantec.com/docs/TECH180569

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
mcmillions's picture

If I apply any of these guides to my situation the policy on the managed client will get over written. Why would you post materials for an unmanaged client instead of managed? Did you even read the first line?

Brɨan's picture

You can create a separate group and policy for only this client.

Under Location-specific settings set it to Mixed control so it will allow the user to manage firewall rules

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mcmillions's picture

Brian81, I thought about going that route, but we're trying to keep the user from being able to alter the firewall rules and we're trying to keep from having 'one-off' groups because it'll be easy to become disorganized in this environment VERY quickly.

I can't believe Symantec doesn't allow only single machines to be apart of a custom policy other than applying it to a new group. Pretty big fail in logic...

Brɨan's picture

And after looking at this KB article, this may not help you anyway but you can confirm:

Switching from Server Control mode to Mixed or Client Control mode does not retain any previously server designated settings

https://www.symantec.com/business/support/index?pa...

I think is NOT what you want. But let me know before I take a deeper look.

Also, you said you were at 39 rules and couldn't add another. Is there a limit?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mcmillions's picture

Brian81, Yes, there is a rule limit we'd like to be set at and that's 40 (which Symantec recommends). The reason being is if the firewall rule set gets too bloated it causes more CPU utilization and we don't want to overwhelm any clients or servers within the OU's. As SEP alone hogs up a lot of resource to begin with, adding more rules would make the systems that much slower to filter more traffic.

As far as the KB article, no that isn't what I'm looking for. Basically, we just need to allow certain ports for an application on a single machine w/o applying the same policy the the 100's of other machines that allow the same exception. Additionally, we don't want to make the machine unmanage and add exceptions as well.

The only option I have I guess is actually changing the location specific settings and allowing the user to turn off the firewall (NTP) for X amount of time... which scares the crap out of me, but Symantec doesn't really give us another option at this time.

Brɨan's picture

You can set it to Mixed control, which will allow you as the admin to specify how much control your user can have.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mcmillions's picture

Yeah, I saw that within SEPM. Which scares me a little bit because that's a bit more risky allowing them to disable the firewall for however the amount of time I specify. It'll be my luck and a worm breaks out while the users in the group have their firewall disabled... Oh well, guess I don't have much choice.

Brɨan's picture

You should be able to not allow disabling of the firewall rule while still allowing rules to be created. At least from what I see.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mcmillions's picture

Are you seeing that setting within SEPM? I'm looking @ the Mixed control settings within Location-specific Settings and Policies... and didn't see to allow users to add exceptions to their client firewall.

Brɨan's picture

In Mixed Control, make sure "Configure unmatched IP traffice settings" is set to Client.

I just tested and think it is what you need.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

greg12's picture

As Mithun said (option 1), just create a unique group and move your client into it. Then copy the policy settings from your "old" group with the other clients to your new group (right click on old group > copy policy) and paste it to your new group (right click on new group > Paste policy). As the last step, add the firewall exception. Now all settings of the groups are the same except for the additional firewall rule.

If you go this way, you don't have to bother with Client Control or Mixed Control. In Client Control, the clients don't get any firewall rules from the SEPM. They are only using their own rules. In Mixed Control, the SEPM and client firewall rules will be mixed (dependant on the famous blue line in the firewall policy). Very error-prone -- use Server Control.

mcmillions's picture

Thanks Greg. I see that Mitun updated his response... that's exactly what I'm looking for!

Thanks Gents!

Mithun Sanghavi's picture

Hello,

Happy to assist you...

Don't forget to Close the Thread by Marking the right Comment as "Solved".

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

mcmillions's picture

Now, I'm curious about a couple of things. First, if I were to move all of these systems into this new group, would this have any effect on Active Directory replication as it's tied into it? Second, if I were to allow the user to create their own exceptions, are there any type of logs I can reference to make sure no additional exceptions have been put into place? Additionally, anything that has been added in general to the firewall exceptions.

Thanks again guys!

greg12's picture

First, if I were to move all of these systems into this new group, would this have any effect on Active Directory replication as it's tied into it?

No, the clients will be copied into a new group. SEP groups have a higher priority than SEP OUs. The clients get the SEP group policies but keep members of the SEP OU as well (which is a mirror of the Windows OU).

Second, if I were to allow the user to create their own exceptions, are there any type of logs I can reference to make sure no additional exceptions have been put into place? Additionally, anything that has been added in general to the firewall exceptions.

Well, if you follow Mithun's (option 1) and my suggestion users won't be able to create firewall rules at all (Server Control mode). wink If you use special groups for unique clients it's just not necessary.

Nevertheless, if a user creates a new firewall rule, this will be logged at the client (View Log > Client Management > System Log) and in the SEPM, too (Monitors > Logs > [Log type] System > [Log content] Client Activity). Log text is "New firewall rule has been applied."

Mithun Sanghavi's picture

Hello,

I agree with Greg's comment.

First, if I were to move all of these systems into this new group, would this have any effect on Active Directory replication as it's tied into it?

All clients would be moved to the new group created. Here is an understanding of Priority of Group and Organizational Unit

The Organizational Unit structure and all of the accounts in that Organizational Unit can be imported from and synchronized with Active Directory. An Organizational Unit will be placed in the group as an element of the group just as a computer or user account. An Organizational Unit can be considered as a special type of group. Group Policy Profiles can be applied to the Organizational Unit. The name of the Organizational Unit and the computer/user account within that unit cannot be modified. The computer/user account in the Organizational Unit can be copied into only one group. (Duplicating a computer/user account is not allowed in the groups). The computer/user account may exist in a group and in an Organizational Unit at the same time. Since the group has a higher priority than the Organizational Unit, the client will use the profile of the group instead of the Organizational Unit if the computer or login user of the agent exists in both the group and the Organizational Unit.

Note: Temporary Group has lower priority than Organizational Unit. This is an exception.

Reference:http://www.symantec.com/docs/TECH102546

Second, if I were to allow the user to create their own exceptions, are there any type of logs I can reference to make sure no additional exceptions have been put into place? 

Lets's say you allow the user to create their own exceptions, then you may check the System Logs  >> Client Activity from the Symantec Endpoint Protection Manager.

Client Activity provides information which includes items such as event time, event type, event source, domain, description, site, computer, and severity.

Check this Article: 

About log types 

http://www.symantec.com/docs/HOWTO27271

Additionally, anything that has been added in general to the firewall exceptions.

Check these Articles:

About the Symantec Endpoint Protection firewall

http://www.symantec.com/docs/HOWTO55247

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

http://www.symantec.com/docs/TECH180569

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.