Endpoint Protection

I'm having an issue where installing the SEP client on a machine will disable the Window firewall.  In the management console's AV policy, there are a couple options that sort of relate to the Windows firewall, and here is how I have them configured.  "Disable Windows Security Center" - set to Never.  "Display anti-virus alerts within the Windows Security center" - set to Disable.  I'm not sure the notification option has anything to do with disabling the Windows firewall, but I was thinking that by disabling the Windows Security Center, it might go ahead and disable the Windows firewall, but as I said, I have that set to not touch it.

I'm not excluding the SEP firewall from installation in case I decide I need the functionality for something specific in the future.

Here's exactly what's happening on an XPSP3 system:

• After installation, the Windows firewall window in the control panel is set to Off
• The Windows Firewall service is still set to automatic and is running.  A restart does not change either of those scenarios
• The Windows firewall is not actually blocking any traffic even thought the service is running
• If I restart the Windows firewall service, it starts blocking traffic again and seems to be functioning properly

At fist glance, this may sound like a problem with the OS which is what I thought when I ran across this.  However, I have had someone image 10 machines and the results are consistent across the board.  I have also had 10 machines imaged with SAV and this didn't happen, so it's something with the SEP installation.Question - Is the SEP client isntaller meant to disable the Windows firewall or is there a setting somewhere in the management console that I'm missing?


Thanks in advance for your comments

 When you deploy SEP on a computer it does disable Windows Firewall at the time of installation.Since SEP is installing the firewall so in order to have just one firewall to be running at a time SEP disables the windows firewall.
However if you really want both to be enabled at the same time which I would not suggest then
Enable windows firewall via Group Policy.
SEP only checks the status of the firewall at the time of installation.So once the user logs off or restarts GPO will re-enable the firewall and SEP will not check the status of the firewall again as it checks only once at the time of install.

If you deploy the firewall as part of the package it WILL disable Windows Firewall.  You would have to restart the service as part of some sort of deployment script.

If you don't have plans on currently using the firewall I wonder the use in deploying it?  Realize that the ENTIRE SEP package gets deployed (and cached) to the client when you push the package anyways.  Even when you don't select certain components, they still get pushed but don't get installed.  These components are still locally cached.

If you do this, then later decide to install the firewall, you can simply create an installation package, apply it to the group the computers belong to, and it will re-run the locally installed package and this time install whatever components you have told it to.

Better solution in my mind.  Havnig the firewall installed but with no policy can lead to issues down the road and is another area for isssues to arise (as it will bind to the NIC). 

The Windows firewall is MS's attempt at security. It's flaky and not as simple to centrally manage.
If you want a firewall, I strongly suggest you let SEP's firewall work.
We found the Windows firewall to be problematic at best, and at times, not even secure.
When SP2 came out, the first thing we did was disable the firewall via GPO.
We use SEP's firewall, it's much better, is centrally managed, can be changed with ease and is far more secure.
Never run two firewalls at the same time. Bad things can happen - choose from this list things I've seen when two were active: 
1. strange things - certain network functionality works one day, not the next,
2. things blocked you don't want blocked
3. things allowed you don't want allowed

Makes perfect sense.  I thought that SEP's firewall would sit dormant if there were no policies enabled and I wasn't using it.  Soudns like that isn't the case.  I will re-think this one.

I wonder though, why it sets the Windows firewall to off in the control panel GUI, but leaves the service as running and set to auromatic.  Makes it a bit confusing.