Endpoint Protection

 View Only

  • 1.  SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 08:14 AM

    Hi

    I stumbled upon this error the other week at a customer. They had problems running GPRESULT on remote machines with SEP 12.1. All their machines have NTP enabled so it was easy for them to first blame that. To my knowledge NTP doesn't deny that kind of traffic. I tried to disable NTP without result. When clicking around a bit I found that Windows Firewall seemed to be enabled although we'd disabled it through SEP policy.

    According to this article this is an expected behavior and shouldn't do any harm.

    Advanced Settings for Windows 7 Firewall indicate that it is on, even when Symantec Endpoint Protection (SEP) Network Threat Protection (NTP) is installed http://www.symantec.com/docs/TECH123729

    According to me this is exactly what's creating my problem!

    When I disable Windows Firewall through the Advanced Firewall Settings I suddenly can do all sorts of GPRESULT on remote machines. Please note that we have made the settings in SEP Firewall Policy to Always Disable Windows Firewall.

     

    This is what the "standard" Firewall Status originally shows

    This is what the Windows Firewall with Advanced Security shows

    Now I click on Windows Firewall Properties to really turn off Windows Firewall (this is easier done on larger scale through GPO)

    This is how you'd want the Windows Firewall with Advanced Security to look like

     

    Happy GPRESULT'ing!



  • 2.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 08:22 AM

    You should open a case with Symantec on this.

    You may be surprised to find this could be blocked.

    What I would do is create a rule called Deny_All but set the traffic to Allow. Than move it to the bottom of the rule set. Run gpresult and monitor your log to see what is going on.



  • 3.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 08:32 AM

    - Do you have any windows group policy specifying that the windows firewall should be on?

    - please check in firewall policy on SEPM - what option is selected for disabling the windows firewall:

    http://www.symantec.com/docs/HOWTO55336

    ...default option here is "disable once only" - so in case machine gets rebooted and any GPO Policy comes in that reenables the firewall - SEP won't be forcing on disabling it again.



  • 4.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 09:06 AM
    SebastianZ: As I wrote in my first post we have a SEP Firewall Policy set to Always Disable Windows Firewall. I understand that a GPO could re-enable the Windows Firewall every cycle of GPUpdate if having that setting. But this behavior is also true for a workgroup-computer without GPO. Brian81: What do you mean by "You may be surprised to find this could be blocked"? The SEP Firewall in it's standard setting evidently do not block this traffic, it's the Windows Firewall...


  • 5.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 09:21 AM

    Do you see his problem only on windows 7?

    What is the exact version of 12.1 clients?



  • 6.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 09:38 AM
    I have only seen this on Windows 7, haven't tested it on XP/Vista. The customer runs SEP 12.1 RU1 and apply policys in Server Mode. I managed to replicate the behavior on SEP 12.1 RU2 running policys in Mixed Mode. So neither version nor policy-mode seems to impact.


  • 7.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 10:36 AM

    Did some documenation digging - the article TECH123729 is right on one point = this is default and expected bahaviour for 12.1 in windows 7 and above - the reason for it is that Windows Firewall with Advanced Security do include the IPSec component - if you disable the Windows Firewall you are disabling IPSec as well - SEP is then not disabling the Firewall completely but only taking it over and leaving IPSec "on" and working.

     

    I remember there where some complains on other 3rd party firewall software Forum that theirs Firewall disabled Windows Firewall completely and with this the IPSec Rules were not working any more. The current design in SEP prevents that from occuring.

     

    Is it is possible then that the IPSec rules have some impact on the GPResult functionality in your case?

     



  • 8.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 23, 2013 10:56 AM
    I really can't say, but it's an interesting angle to investigate. This might be an issue to consider before proceeding with my "work-around"! --- Thanks for your effort SebastianZ


  • 9.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 24, 2013 09:39 AM
    We ate facing exactly the same issue, & on policy we have set SEP to Disable windows firewall every time. So under profiles in windows firewall everything is disabled, but Windows firewall service is running. So we are trying to push SCCM 2012 client on these machines, but is failing because of this, but if I manually disable the windows firewall, it how's well, so SEP is not actually disabling windows firewall. Pls suggest a workaround.


  • 10.  RE: SEP 12.1 don't disable Windows Firewall entirely

    Posted Jan 25, 2013 04:12 AM

    Have you tried to turn of Windows Firewall with Advanced Security through GPO? Don't stop the service, I think the service has to be turned on.

    You find the setting here: Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Windows Firewall Properties. Change Domain Profile, Private Profile and Public Profile to Off.