Endpoint Protection

 View Only

  • 1.  SEP Manager Firewall Policies

    Posted Aug 27, 2013 03:53 PM

    I'm looking for information on how FW policies work in SEP Manager.  

    I made a copy of the default policy, added a rule to whitelist a server so we could do some vulnerability scans from that system and then enabled the new policy.  We had an issue with a client not being able to talk to a server, it appears because the Windows Firewall on the server became active.

    I withdrew the SEP policy and now it appears that no policy is active.

    And it also appears as a result that no clients are getting AV updates, probably because the Windows FW is now also active on the SEPManager server.

    From investigations, it looks as though the Windows FW is active on system reboots and then at some point the SEP client FW takes over when it loads.  This is based on reviewing pfirewall.logs from the Windows firewall and matching up activity with server reboots on a couple of systems.  

    Questions:
    1.  How does the SEP client take over the Windows FW?  So far, I've only been able to find out that on install, it disables the windows FW, but if you had a group policy to run the Windows FW, they would both be active.

    2. Is there a method in SEP policies or somewhere else to let the windows FW run until SEP client loads and then have the SEP client always take over?

    3. Does it make sense that when a new SEP policy is pushed, the SEP FW would stop and start and that might be why the Windows FW became active?

    4.  In unmanaged clients, I see a notice on the Windows FW that it is being managed by vendor application Symantec Endpoint Protection, but I don't see that same message on managed clients.  Should it be there?  (Could be timing of when they were examined and having the policy withdrawn)

    5. Is it possible to have cumulative policies or can only one policy be active?  ie. could you have a base policy and then individual policies with a handful of rules applied to lower level groups?

    6. I applied the policy at the top level "My Company" level and then withdrew it, so I suspect that I need to just reapply the default policy back at that level but am leary to do that without more research.  I noticed in the policies section that most policies have a use count of 3.  I'm guessing that is a group count - My Company, Default Group, and then the one we created?

    Sorry for all the questions,  someone else set this up with just a base config, so I'm trying to read through the 618 pg administrators guide and understand how to manage these policies quickly so we can get some scanning done.



  • 2.  RE: SEP Manager Firewall Policies

    Posted Aug 27, 2013 08:19 PM

    Symantec Endpoint Protection (SEP) installer automatically detects and disables Windows Firewall if enabled. Exception to this would be that if SEP is installed without Network Threat Protection (NTP) active Windows Firewall will not be disabled.

    Reference: 

    Best Practices for using Windows Firewall with Symantec Endpoint Protection 12.1

     

    http://www.symantec.com/docs/TECH196975

    After SEP is installed for windows firewall you should see that its been managed by SEP.

    If no policy is applied it will be enabled after system restart.reapplying the policy would fix that. 

    Yes thats the number of groups on which this policy is active.

    At any time you can have only one firewall policy you can add all the required rules in a single policy

     

     



  • 3.  RE: SEP Manager Firewall Policies

    Posted Aug 28, 2013 03:54 AM
      |   view attached

    Hi,

     

    1,2,4,5) It depends on the rule created in SEPM, I have Pasted a clip kinldy take a lok at it

    6) The location count depends on the number of clients groups inheriting the policy

     

    Hope this helps.

     



  • 4.  RE: SEP Manager Firewall Policies

    Trusted Advisor
    Posted Aug 28, 2013 06:51 AM

    Hello,

    What version of Symantec Endpoint Protection are you running?

    Make sure you are running the Latest version of Symantec Endpoint Protection 11.0.7300 OR Symantec Endpoint Protection 12.1.3001

    Answers for Questions 1, 2, 3 - 

    Check these Articles:

    About Windows Firewall and Symantec Endpoint Protection's NTP

    http://www.symantec.com/docs/TECH97986

    Best Practices for using Windows Firewall with Symantec Endpoint Protection 12.1

    http://www.symantec.com/docs/TECH196975

    Using (Enabling) Windows Firewall with SEP NTP installed

    http://www.symantec.com/docs/TECH197660

    How to enable Windows firewall setting in Windows 7 machine in SEPM 12.1.2

    https://www-secure.symantec.com/connect/blogs/how-enable-windows-firewall-setting-windows-7-machine-sepm-1212

    Answers for Questions 4 - 

    Check these Articles:

    Advanced Settings for Windows 7 Firewall indicate that it is on, even when Symantec Endpoint Protection Network Threat Protection (NTP) is installed.

    http://www.symantec.com/docs/TECH123729

    Windows 7 Firewall indicate that "These Settings are being managed by vendor application Symantec Endpoint Protection", even when Symantec Endpoint Protection (SEP) 11.0 Network Threat Protection (NTP) is not installed.

    https://www-secure.symantec.com/connect/articles/windows-7-firewall-indicate-these-settings-are-being-managed-vendor-application-symantec-en

     

    Answers for Questions 5 - 

    Check these Articles:

    About working with Firewall Policies

    http://www.symantec.com/docs/HOWTO27114

    Can multiple firewall policies be merged into one in the Symantec Endpoint Protection Manager?

    http://www.symantec.com/docs/TECH160211

     

    Answers for Questions 6 - 

    Once the Policy is withdrawn, you would have to assign the default policy from the SEPM >> Policies >> Firewall >> Right click on the policy and assign the same again to the group and sub-groups.

    You can later check the assigned groups by - 

    SEPM >> Policies >> Firewall >> Right click on the policy and edit >> Click on "Used by" tab.

    Secondly, check this Article:

    Performing tasks that are common to all security policies

    http://www.symantec.com/docs/HOWTO55049

    NOTE: Incase, the policy is a Non-shared Policy and later withdrawn would get eventually deleted.
     
    Hope that helps!!!


  • 5.  RE: SEP Manager Firewall Policies

    Posted Aug 28, 2013 07:10 AM

    Hi,

     

    Symantec Endpoint Protection Manager - Firewall - Policies explained

    Article:TECH181701  |  Created: 2012-02-17  |  Updated: 2012-03-08  |  Article URL http://www.symantec.com/docs/TECH181701
     

    Please check this below link also:

    Article:TECH104433

     | 

    Created: 2008-01-20

     | 

    Updated: 2010-11-30

     | 

    Article URLhttp://www.symantec.com/docs/TECH104433

    How a firewall works

     

    Article:HOWTO55054

     | 

    Created: 2011-06-29

     | 

    Updated: 2011-12-17

     | 

    Article URLhttp://www.symantec.com/docs/HOWTO55054

    About Windows Firewall and Symantec Endpoint Protection's NTP

     

    Article:TECH97986

     | 

    Created: 2009-01-08

     | 

    Updated: 2011-02-11

     | 

    Article URLhttp://www.symantec.com/docs/TECH97986

    Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

    Best Practices for using Windows Firewall with Symantec Endpoint Protection 12.1

     

    Article:TECH196975

     | 

    Created: 2012-09-20

     | 

    Updated: 2012-09-20

     | 

    Article URLhttp://www.symantec.com/docs/TECH196975

    Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

     

    Article:TECH180569

     | 

    Created: 2012-02-02

     | 

    Updated: 2012-02-02

     | 

    Article URLhttp://www.symantec.com/docs/TECH180569

     

    About firewall server rules and client rules

     

    Article:HOWTO81232

     | 

    Created: 2012-10-24

     | 

    Updated: 2013-01-30

     | 

    Article URLhttp://www.symantec.com/docs/HOWTO81232

    About firewalls and communication ports

     

    Article:HOWTO81451

     | 

    Created: 2012-10-25

     | 

    Updated: 2012-10-27

     | 

    Article URLhttp://www.symantec.com/docs/HOWTO81451

    Blocking a Website using Symantec Endpoint Protection

     

    Article:TECH92405

     | 

    Created: 2009-01-16

     | 

    Updated: 2012-08-22

     | 

    Article URLhttp://www.symantec.com/docs/TECH92405

    How to Restrict Users to Specific Web Sites by Creating Firewall Rules for Managed Clients

     

    Article:TECH92097

     | 

    Created: 2009-01-28

     | 

    Updated: 2011-01-19

     | 

    Article URLhttp://www.symantec.com/docs/TECH92097

    How to block all websites and allow only certain websites using Network Threat Protection Firewall rule.

     

    Article:TECH95248

     | 

    Created: 2009-01-28

     | 

    Updated: 2012-05-31

     | 

    Article URLhttp://www.symantec.com/docs/TECH95248

    How to block/allow website access using the Symantec Endpoint Protection Manager custom Intrusion Prevention Signature policy

    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/9c561a4628b3c9a44925747f007b19cd?OpenDocument

    How to block Web access to client with the help of firewall in a Proxy Environment

     

    Article:TECH188973

     | 

    Created: 2012-05-17

     | 

    Updated: 2012-06-04

     | 

    Article URLhttp://www.symantec.com/docs/TECH188973

     

    How To Block Internet address via Sep Manager Firewall Rule

    https://www-secure.symantec.com/connect/articles/how-block-internet-address-sep-manager-firewall-rule

     

    Video

    Allow and Block websites using Symantec Endpoint Protection Firewall

    https://www-secure.symantec.com/connect/videos/allow-and-block-websites-using-symantec-endpoint-protection-firewall