Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 12.1 don't disable Windows Firewall entirely

Created: 23 Jan 2013 | 9 comments
JFinnhult's picture

Hi

I stumbled upon this error the other week at a customer. They had problems running GPRESULT on remote machines with SEP 12.1. All their machines have NTP enabled so it was easy for them to first blame that. To my knowledge NTP doesn't deny that kind of traffic. I tried to disable NTP without result. When clicking around a bit I found that Windows Firewall seemed to be enabled although we'd disabled it through SEP policy.

According to this article this is an expected behavior and shouldn't do any harm.

Advanced Settings for Windows 7 Firewall indicate that it is on, even when Symantec Endpoint Protection (SEP) Network Threat Protection (NTP) is installed http://www.symantec.com/docs/TECH123729

According to me this is exactly what's creating my problem!

When I disable Windows Firewall through the Advanced Firewall Settings I suddenly can do all sorts of GPRESULT on remote machines. Please note that we have made the settings in SEP Firewall Policy to Always Disable Windows Firewall.

This is what the "standard" Firewall Status originally shows

This is what the Windows Firewall with Advanced Security shows

Now I click on Windows Firewall Properties to really turn off Windows Firewall (this is easier done on larger scale through GPO)

This is how you'd want the Windows Firewall with Advanced Security to look like

Happy GPRESULT'ing!

Comments 9 CommentsJump to latest comment

.Brian's picture

You should open a case with Symantec on this.

You may be surprised to find this could be blocked.

What I would do is create a rule called Deny_All but set the traffic to Allow. Than move it to the bottom of the rule set. Run gpresult and monitor your log to see what is going on.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

- Do you have any windows group policy specifying that the windows firewall should be on?

- please check in firewall policy on SEPM - what option is selected for disabling the windows firewall:

http://www.symantec.com/docs/HOWTO55336

...default option here is "disable once only" - so in case machine gets rebooted and any GPO Policy comes in that reenables the firewall - SEP won't be forcing on disabling it again.

JFinnhult's picture

SebastianZ: As I wrote in my first post we have a SEP Firewall Policy set to Always Disable Windows Firewall. I understand that a GPO could re-enable the Windows Firewall every cycle of GPUpdate if having that setting. But this behavior is also true for a workgroup-computer without GPO.

Brian81: What do you mean by "You may be surprised to find this could be blocked"? The SEP Firewall in it's standard setting evidently do not block this traffic, it's the Windows Firewall...

SebastianZ's picture

Do you see his problem only on windows 7?

What is the exact version of 12.1 clients?

JFinnhult's picture

I have only seen this on Windows 7, haven't tested it on XP/Vista.

The customer runs SEP 12.1 RU1 and apply policys in Server Mode. I managed to replicate the behavior on SEP 12.1 RU2 running policys in Mixed Mode. So neither version nor policy-mode seems to impact.

SebastianZ's picture

Did some documenation digging - the article TECH123729 is right on one point = this is default and expected bahaviour for 12.1 in windows 7 and above - the reason for it is that Windows Firewall with Advanced Security do include the IPSec component - if you disable the Windows Firewall you are disabling IPSec as well - SEP is then not disabling the Firewall completely but only taking it over and leaving IPSec "on" and working.

I remember there where some complains on other 3rd party firewall software Forum that theirs Firewall disabled Windows Firewall completely and with this the IPSec Rules were not working any more. The current design in SEP prevents that from occuring.

Is it is possible then that the IPSec rules have some impact on the GPResult functionality in your case?

JFinnhult's picture

I really can't say, but it's an interesting angle to investigate. This might be an issue to consider before proceeding with my "work-around"!

---
Thanks for your effort SebastianZ

ArvindSindhu's picture

We ate facing exactly the same issue, & on policy we have set SEP to Disable windows firewall every time. So under profiles in windows firewall everything is disabled, but Windows firewall service is running. So we are trying to push SCCM 2012 client on these machines, but is failing because of this, but if I manually disable the windows firewall, it how's well, so SEP is not actually disabling windows firewall. Pls suggest a workaround.

Thanks,

Arvind Sindhu

SA – Enterprise Infrastructure Services| Sapient Consulting Pvt. Ltd.

e-mail: asindhu@sapient.com

JFinnhult's picture

Have you tried to turn of Windows Firewall with Advanced Security through GPO? Don't stop the service, I think the service has to be turned on.

You find the setting here: Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Windows Firewall Properties. Change Domain Profile, Private Profile and Public Profile to Off.