Endpoint Protection

Can anyone confirm that if a firewall policy has no rules there is an implied 'default deny' action?  (v12.1 RU2)

I was trying to use a firewall policy only for the purpose of "automatically block an attackers IP address" option.  But found that my Win7 client workstation couldn't even ping the defafult gateway.   The firewall policy initially had no rules.  After I added a single 'allow all' rule the client workstation is functioning normally. 

If you delete or uncheck all of the rules, it will default to a Block_all rule.

However, this doesn't block all traffic. I'm still able to send web traffic, ICMP, etc. 

However, I cannot do things like UPnP discovery (default rule).

So it looks like all the default rules in the policy are still enforced even if you uncheck or disable them but they fall under a rule called Block_all

I found this:

Unmanaged Symantec Endpoint Protection Client Blocks VM-Ware Internet Traffic

But it points to a bug in a much older version. I just tested on 12.1.2 unmanaged

Is your client unmanaged?

Seems like the workaround is to add an allow rule

There is deinfintely something in place although it doesn't block all traffic...like the rule name would imply.

Hi,

Allow IP Traffic - This means that if any traffic doesn't match the firewall rule(either allow or deny) and if this option is checked then that particular traffic will be allowed. Sometimes we configure the firewall rule in such a way that we add only rules that allows a particular traffic and we do not add a rule at the bottom to deny traffic which doesn't match the above rules. If "Allow IP Traffic" is not checked then it will act as the bottom rule(deny all traffic)to drop all the packets except for the traffic which is generated from some applications(prompts user to allow or block traffic from that particular application). By default this option is checked so that it does not block all traffics other than specified in default firewall rule immediately after installation.

can you post the traffic logs?

the default firewall rules explaination can be found here

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

http://www.symantec.com/business/support/index?page=content&id=TECH180569&actp=SUBSCRIPTION

I should have made clear in my original post that I deleted all the firewall rules in my policy.  Thats when I began to experience the default deny.  Also I am using a managed client.

Brian81 commented "If you delete or uncheck all of the rules, it will default to a Block_all rule" .

Any documentation from Symantec that says this is the expected behavior?

Rafeeq - where is the "Allow IP Traffic" option? 

I could not find anything just by searching the Block_all rule.

When you create a FW policy in 12.1, rule #26 is "Block all other IP traffic and log" and it is enabled.

After more testing...

If I delete all my rules in the FW policy, I get this message:

So while I couldn't find any documentation, it appears this is the default behaviour when deleting rules.

Symantec may have something internally that they can share with you if you need a document.

Best practice is likely to withdraw the fw policy or disable the rules you don't want to use instead of deleting them.

 If "Allow IP Traffic" is not checked then it will act as the bottom rule(deny all traffic)to drop all the packets except for the traffic which is generated from some applications(prompts user to allow or block traffic from that particular application).

you deleted "deny all traffic" rule too?

I delete every rule (so it was blank) and got the above message.

My assumption that is if all rules are deleted in the policy it will default to an undocumented(?) Deny_all type of rule.

But I'm sure best practice will say to either withdraw teh fw policy or disable the rules, not delete them.

Brian81 - thanks for posting that screenshot.  I didn't pay close enough attention when I deleted all the rules but can now confirm that I get the same warning.    You are also correct that it doesn't actually block all traffic - I noticed that communication between my clients and SEP manager still worked.

Rafeeq - I can't locate the "Allow IP Traffic".  Can you post a screenshot or tell where that is located.  Thanks.

I don't see an Allow IP traffic rule. You may need to create one.