Endpoint Protection

Hi Everyone,

I'm currently running SEP12.1.1 in my Production Enviroment and Dev Env as well. In my DEV environment, I upgraded (with no issues) to SEP12.1.2.

I pushed out the upgrade package to my test machines (Win XP SP3 32bit and Win7 32bit) with everything enabled except the SEP firewall and Application and Device control, exactly what was on them before. We disable the local SEP firewall and use the MS Firewall for GPO purposes. However, after I installed (upgraded from 12.1.1) 12.1.2 on the 2 different machines the Windows Firewall did not re-enable at all, even after reboot. :(  - new Bug I think.

It worked perfectly on SEP12.1.1 after upgrading from SEP12.1.0. 

Now I have a dilemna, whether or not to push this version out to the Client machines here. (1500+). I don't control the Server GPO's nor the Desktop/Laptop machines.

Any suggestions? Because you have to manually re-enable the Windows Firewall on each client. FYI - it stays enabled after each reboot, so re-enabling it once after installation seems to be fine. Just a PITA. :(

Thanks,

Whip

same issue here

https://www-secure.symantec.com/connect/forums/121-ru2-disabling-windows-firewall

user has opened up a ticket, lets wait for an update.

Subscribe to this post, hopefully should be resolved soon.

You can open a ticket as well. SImilar thread today as Rafeeq mentioned

how do you create the upgrade package? 

A: an upgrade package with policies firewall, app and device control disabled.

B: an upgrade package without firewall, app and device control components.

If it has been checked to be a bug using method A.

I suggest you using method B, maybe it would be a workaround. Thought i don't make any test, i think if your upgrade package without firewall component, it will make no change to windows firewall.

Hello,

As a Best practice recommendation it is always advised to use only one software Firewall on a computer. Two software Firewalls running on a computer might drain resources and the both software Firewalls might have rules those might conflict with each other. Enabling more than one Firewall program is likely to result in conflicts and poor performance. 

To prevent the above situation Symantec Endpoint Protection (SEP) installer automatically detects and disables Windows Firewall if enabled. Exception to this would be that if SEP is installed without Network Threat Protection (NTP) active Windows Firewall will not be disabled.

Reference: 

Best Practices for using Windows Firewall with Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH196975

Hope that helps!!

I did "A and B" and it has been working fine with 12.1.0, 12.1 and 12.1.1.  However, they changed something in 12.1.2 that disables Windows Firewall.

Being able to use the Windows Firewall was a BIG deal with 12.1 because it worked properly, unlike in SEP11. There were alot of calls and complaints from what I understand with regards to this problem - being able to use the Windows Firewall due to GPO concerns.

From what I understood from my Symantec Rep Engineer a year ago was that in SEP12.1 they were able to separate the NTP and FW protection modules so they could run without each other -and they did since 12.1, until now. :(   

Why?

What is the Firewall policy setting for windows integration for the group(s) containing clients that have experienced this issue?  I think the default setting is to disable once only.

Hmm... I think the default was No Action.? I have that Set to Restore If Disabled in the Windows Integration - even though the Firewall Policy is not enabled for those Groups. Also, the SEP12.1.2 Package does not have the SEP Firewall feature checked.

Interesting.  We do not use the SEP firewall on any machines and have made no changes to the default policy and ours has the Disable once setting.  

Have you created a support ticket?

Hello,

I would like to have a look at this issue.

Could you please create a Case with Symantec Technical Support online by following the steps provided in the Articles below:

How to Create and Validate a MySymantec (previously MySupport) Account

How to create a new case in MySymantec (formerly MySupport)

OR

Regional Support Telephone Numbers:

United States: https://support.broadcom.com (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Once you have the Case created, please PM me your Case number so that I could look into this immediately.

Hope that helps!!

I could check that out and try it this week. Must find another test machine...

And you upgraded from 12.1.1 to 12.1.2 with all of the SEP modules enabled, except the Firewall, right?

Thanks.

Interresting issue.

I'm currently working on something very similar recently on Windows 7 (all platform and edition).

I was trying to perform different tests and scenario with SEP package without NTP feature (No IPS No Firewall) as it's clearly not fair and recommended to use NTP if you wish to use Windows Firewall, it will just make the end users completely pissed off and anyway Windows Firewall is designed itself to be turned off or deactivated if you install another Firewall software.

Scenario which can be reproduced very easily so far with custom package AV/AS + PTP only.

Upgrade from any SEP 11.X to SEP 12.1 RU2

Results:

=> Windows Firewall turned off during upgrade and even after the reboot required from the upgrade indeed.

If you turned on the Windows Firewall after that upgrade to 12.1 RU2 and upgrade with same type of package (AV/AS + PTP only) from SEP 12.1 RU2 to SEP 12.1 RU2 MP1

Results:

=> Windows Firewall turned off during upgrade. However it's back turned on after the reboot required from the upgrade so apprently fixed with this type of scenario with 12.1 RU2 MP1.

Action Center mentions MS Firewall is off but if you go to Contol Panel/System and Security and you check the MS Firewall State, it's already "on".

There is a Fix ID about it anyway available on our official release notes of SEP 12.1 RU2 MP1.

Hi,

Just an update.

Please note there is as well another Fix planned in 12.1 RU3 very similar and related to this type of issue between MS FW and SEP AV/AS.

It's the next RU on the way so NDA but it will be released soon.

Kind Regards,

A. Wesker

Its a bug in 12 got resolved in 12 RU2 mp1

Hi,

Yes Riyah fixed on RU2 MP1, however in some situations for Windows 7 client x64 for example, the action center of Windows might persist to say the Windows Firewall is not turned on.

And all the known work around may not work unless you uninstall SEP and perform a fresh install of SEP 12.1 RU2 MP1 which is not acceptable solution if customers and users have plenty of managed machines.

And there is another fix related to this issue planned on SEP 12.1 RU3.

I recently tested it myself cause I had a customer who has this issue persisting in RU2 MP1 and it's permanently fixed in RU3.

I tested the beta version and I can confirm it as I was able to reproduce this issue and solved it with the beta of RU3.

A beta of SEP 12.1 RU3 is available since end of March for our customers if needed awaiting the time being for the final release this year (NDA).

Kind Regards,

A. Wesker

Hi

Do you have the policy for "Protect files from Registry"

Regards

NTP - Network Threat Protection is best described as a "Master Feature Set" (no this isn't official, but it makes it much easier to work with)

NTP consists of two plugins/components - Firewall and Intrustion Prevention System (IPS) - in previous versions (11.x, I am not sure about 12.0 - which was a Small Business Edition version) NTP was an 'all or nothing' feature set, meaning you could not have IPS without firewall and vice versa. In 12.1.x NTP has customizable options where you can choose whether to use it or not - and as far as it goes, it is still that way.

However IPS and Firewall do share common drivers and they still interact with you network stack, just the routines are much different. However, I hope that does clarify a bit.

Out of curiosity, when you were upgrading these clients - if you look into the firewall policy there is some options for the Windows Firewall (in the Windows Integration tab) should SEP ever be uninstalled or the Firewall component be uninstalled - 

I am curious to what those options are set to - I understand that running two software firewalls is not a good idea (never ever), however if you are not utilizing the SEP firewall, perhaps changing the option for "Disable Windows Firewall" to "Restore if Disabled" and then upgrade a client.

I am wondering if there is possibly something not correctly being read or shouldn't be read during feature modify/upgrade

When upgrading clients through the manager or created install packages - by default, part of the installation options is to maintain previous logs, policies, and client-server communications settings.

Technically this is a firewall policy, even though the SEP firewall is not enabled, this is an application/feature level policy - so I am not sure how is it reacting here.

Needless to say - this is why I never recommend that you withdraw a policy type from a policy group (it was common for admins to withdraw firewall policy to groups because they don't want to use firewall). If you are not utilizing a feature, such as firewall, create a blank set, and place an allow all rule and assign that to the groups that are not using our firewall - this will also be a curse as well, if a client happens to have that component installed - their firewall will be in an open state - either you can create a custom feature set from the SEPM and force all users to have the same install set or visit that individual workstation and change the feature set there...

But I am really wondering what that policy was set to previously, then when the upgrade was applied, during MSI (windows installer), read that policy state, and dropped the Windows Firewall -- I could be wrong but it may be worth looking into

Isn´t there something called "passthrough mode" here? I know there was in SEP11.

It alowed SEP11 with all modules to be installed, but to let Windows FW still run.

Still in SEP12.1 or removed?