Endpoint Protection

Hello All,

Well I just installed the SEP 12.1.4 client on a brand new machine and noticed the following default rules were installed as a part of NTP. I'm sure it's obvious, and I'm just overlooking it...but where do I change the default rules that get installed on a clean machine? As a side note, the rules are NOT in the firewall policy I selected when I built the installer.

Also, where on the local machine (client) are the default firewall rules stored?

Thanks for helping open my aging ol' eyes.

-Mike

This is managed and you want to view/change from the client side?

You need to set the client to Mixed mode

How to view the firewall rules on a managed SEP client.

Hi Brian,

Don't know why my screen shot is not displayed  but no, I don't want to change the rules on the client after SEP is already installed, I want the changes made before the package is created so that SEP gets installed on each client with the changes already made.

-Mike

Best I can think of is to create a group and a fw policy configured the way you want it. Than when you create the package, tick the box for "Export packages with policies from the following groups" and select that group.

I believe all policies are stored in serdef.dat file which is encrypted.

Thanks for the suggestion, but the firewall policy on the server (the one I painstakingly manage to very exact specifications from our Cyber Security folks) appears to be independent of the Default Firewall rules that are installed locally with the client.

What seems to be installed with the client are the rules in the generic "Firewall policy" that is created when the SEPM is first installed. That particular policy is only used for reference and is not applied to ANY location, and was not used to create my installer package. I hope this is making some sense.

Thanks again,

-Mike

Yea you can check those rules by setting to Mixed Mode and going to Options under NTP and select View Network Activity >> Tools >> View Firewall Rules.

With all that being said, the rules apply depending on what mode the client is in. I assume your in server mode. I know some rules are simply built-in and cannot be modified (or disabled).

I think I know what your asking I just don't think it can be done.

Were actually running in mixed mode and I can go to the client and make the changes I need without any problems...but to me it doesn't make sense to make the changes on the client after SEP is installed on many, many, many machines. What does make sense, to me, is to modify something on the SEPM so that the installer packages already contain the modifications. Which it sould like I can't do... :-(

Symantec can't seriously assume that their Default Rule set is right for every one of their customers, or do they?

Thanks again for your valuable input.

-Mike

P.S. Found this which may help me do what I need. http://www.symantec.com/docs/TECH102410