Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

SEP 11 - Firewalll Disable when reach the Server - Enable when no Server

Updated: 21 May 2010 | 5 comments
theglanz's picture
theglanz
0 0 Votes
Login to vote

Hi there

Is there any possibility to disable the SEP Firewall when the Client can reach the SEP - Server and enable when he doesn't reach the server or domain?

Thanks

discussion Filed Under:
, ,

Comments

jeffwichman's picture
06
Oct
2009
0 Votes 0
Login to vote
jeffwichman

You bet.  Location awareness

You bet.  Location awareness is your answer.  Take a look at this for an overview of location awareness.  Basically you will create a second location in the policy that either withdraws the firewall policy or sets the firewall rules to open.

https://www-secure.symantec.com/connect/articles/location-awareness-using-multiple-management-server-lists

If you want additional help with this send me a PM and I will help you through the process.

Rafeeq's picture
06
Oct
2009
0 Votes 0
Login to vote
Rafeeq

Hi

Very good thought,we do not have this option as of now, but i think the objective can be achieved.
You need to have all the 3 components installed , however the action can be controlled by policies.
1) We can set your default firewall policy to blank, meaning it does nothing( same like not having NTP installed, process would run but no action)

2)You can set a "additional location by following this document"
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040212410248
while configuring the condition.
select the option , client can connect to management server
now select second option cleint cannot connect to management server
this will add a location.
you can set a firewall rule according to your security settings.

with this, when they are able to connect, rule 1 is applied
when they are not able to connect rule 2 is applied.

It would be good if you have have this idea setup under our ideas section.

Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq

Maximilian's picture
06
Oct
2009
0 Votes 0
Login to vote
Maximilian

Jeff Wichman is right. I

Jeff Wichman is right. I would do this with location awareness.

I have also written an article about this and you can find it here = https://www-secure.symantec.com/connect/articles/locations-based-rules-and-what-are-they-good

toko's picture
06
Oct
2009
0 Votes 0
Login to vote
toko

You might want a few other triggers along with that

You might want to add a few more triggers along with "reaching the management server".

Say adding a list of dns servers.

So if the management server goes offline and you are still connected to the network you won't automatically flip policies, unless that is your intent.

We generally are looking for a change in network connections and validation that we are or are not on the intended network.

toko

Maximilian's picture
14
Oct
2009
0 Votes 0
Login to vote
Maximilian

We use a combination of wins

We use a combination of wins / dns servers and local ip ranges to  trigger the location awareness for the trusted network. It works perfect. To use the SEP server as trigger we do not use and I  cannot understand why andy SEP consultant would recommend it (they have several times done this for us).

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,790