Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP Firewall not blocking all ports

Created: 17 Apr 2013 • Updated: 18 Apr 2013 | 11 comments
This issue has been solved. See solution.

I'm trying to block all incoming traffic with SEP11 firewall rules; I modified my rules and applied it to a test group but there are a handful of ports that are not getting blocked

I set my firewall rule as follows:

all outbound traffic / 5-major / service - local 1-65535 outgoing tcp and udp / action - allow

rdp / 5 -major / service - local 3389 tcp / action allow

all inbound traffic / 5-major / service - local 1-65535 incoming tcp and udp / action- block

I checked verified that the client is in the test group and has the new policy serial number. I can see traffic being block by my rule, but I am still able to browse the computer from the network. I used nmap to scan for open ports and the following ports are open: 135, 139, 445, 2701, 3389, 5357, 22201, 49152-49155 and 53388

Any ideas on what I'm overlooking?

Operating Systems:

Comments 11 CommentsJump to latest comment

.Brian's picture

Did you move those rules to the top? 135, 139, 445 are all related to local file sharing, which there is a default rule to allow it.

This article may be of some help as well

How to view the firewall rules on a managed SEP client.

Article:TECH104877  |  Created: 2008-01-07  |  Updated: 2012-04-24  |  Article URL http://www.symantec.com/docs/TECH104877

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

zutroy's picture

My top 3 rules are allow all tcp/udp outbound traffic, allow rdp, block all tcp/udp incoming traffic, and they are above the blue line. The default local file sharing rule was disabled, I even went ahead and deleted it.

I enabled mixed control and I can see some user created firewall rules on the client, including windows network settings which is allowing file printer sharing. How can I get rid of those user created rules from sepm?

.Brian's picture

RDP will be allowed than. For the others, there may be a built in rule that takes precedence.

You can't. Rules created by the user cannot be managed from the SEPM. The SEPM has no visibility of these. You would need to leave the client in Server mode.

About the firewall rule, firewall setting, and intrusion prevention processing order

Article:HOWTO81187  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO81187

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
zutroy's picture

Is there a way to see or modify these built in rules?

.Brian's picture

In the firewall policy there is a "Built-In Rules" tab which let's you do some configuration but this is the only place you can modify them. In the article I posted, it shows you how to view the rules but that is it as far as I know.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

zutroy's picture

I do not see a built in rules tab in firewall policy. I did find that we have Intrusion Prevention enabled with excluded hosts, which covered our entire network. Once I disabled excluded hosts, file and print sharing are now blocked.

.Brian's picture

This may not be available in SEPM 11.x but I think you've found out a few more options that you can tinker with to get what you need.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

zutroy's picture

We will probably be moving to SEPM 12 sometime this year, so I'll look out for it then. I think I have what I need now, thanks for the insight

 

SMLatCST's picture

I don't believe the user-defined rules are the issue here, as anything you create above the blue line will take precedence over any user-defined rules:

http://www.symantec.com/docs/HOWTO81232

#EDIT#

BTW, have you tested the default "Block all other IP traffic and Log" and "Block all other traffice and don't log" rules by moving/copying them up above the blue line?  Oh, and "Thunbs Up" to Brian smiley

zutroy's picture

I tried moving those block rules above the blue line, it did not seem to have any affect. Does that blue line only come in the play if I'm using mixed control?

.Brian's picture

Taken from this KB article but the blue line applies more to SEPM admins and their control over firewall rules:

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Article:TECH169904  |  Created: 2011-09-20  |  Updated: 2013-02-26  |  Article URL http://www.symantec.com/docs/TECH169904

 

The firewall rule set contains a blue dividing line:
System administrators with full access control can modify the highest priority rules that are placed above the blue line.
Clients who are in mixed control can sometimes modify the lesser priority rules that are placed below the blue line.

Control Type
Rules are categorized as server rules or client rules: Server rules are created on the management server and downloaded to the client. Client rules are the rules that a user creates on a client.
The following shows the relationship between the client user’s control level and the user’s interaction regarding firewall rules:

  • In Server Control the client receives server rules, but the user cannot view them. The user cannot create client rules.
  • In Mixed Control, the client receives server rules and the user can view those rules in the Firewall Rules dialog box. The user can also create rules that are merged with existing rules. However, client rules go below the blue line and have a lesser priority.
  • In Client Control, the client has full control. A best practice is to use caution when giving your users mixed or client control.

For clients in mixed control, the firewall processes server rules and client rules in a particular order. Server rules with high priority levels are processed first. Client rules are processed second, and server rules with a lower priority are processed last.
Use caution when setting a client to mixed control, because the user can create a client rule that allows all traffic, and this rule overrides all server rules below the blue line.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.