Endpoint Protection Small Business Edition

I have about 14 servers under the same group with the same policy. The policy is to disable the firwall. 4 servers are showing up as having the firewall status as being enabled. When I go to the actual server and look at the SEP firewall it is disabled. I have left the machines for over a day and they have been rebooted but no change to the status. Is there anyway to get it to report correctly?

Is the policy withdrawn or just disabled?

On the client, is the fw component even installed? can check via add/remove programs

Edit# I see that now, you have already rebooted those servers.

Delete that client from SEPM, and do a update policy on the client, it should come up with latest info.

So I did delete the clients from SEPM and update the client policies with no luck. All the clients when I go to them only have symantec endpoint protection. I don't see anything about a seperate firewall in programs and features.

There was nothing on SEPM for the inboxagent folder containing .err

I guess I don't understand withdrawn vs. disabled? I did have the firewall turned on, on each server a while back and turned it off. Again most servers are correctly reporting back though. I have since upgrading SEPM and the clients to 12.1.4a and actually changed the SEPM server in the process. Everything else is updating fine such as last status update and definition updates.

In the fw policy itself, there is a check box for "Enable this policy"

If you go to the Clients page >> Policies tab

Is the firewall policy showing here or is it withdrawn?

if you right click on a client and select disable NTP it will show as diabled

if you to policy tab and withdraw the fw policy, it will show withdrawn by policy

I think your clients install NTP but they are not showing up, coz to show NTP it needs a reboot

just to be sure, go to add /remove programs, select sep, select modify, remove any activated NTP, reboot.

if there is no ntp, if you pull a computer status report, under firewall it should show up as Not installed, what you are getting now?

on a side note 12.1.4 rua is only for SEPM no need to update your clients. 

Hi,

Could you try following work around?

Make sure though they have the same policy, policy serial number is correct.

Is there anything similar between those four Servers? I mean Operating system, SEP client version?

I think I'm having the same problem, but there hasn't been much followup by @constantm so maybe I can hijack the thread

Just recently installed Symantic Protection Suite which includes Endpoint Protection Small Business Edition 12.1.4100.4126

I installed the Management product and deployed the full package endpoint to my 2003 server.  No firewall previously existed.  If I recall, I lost my Remote Desktop capability, so rather then try and figure out the exception rule, I just went into the Policies tab and edited the policy so "Enable This Firewall Policy" was unchecked.  So now the firewall status in the Manager says "Disable by Policy" which makes sense.

Then I deployed the same package to a Windows XP machine with XP firewall already on and added it to the same group.  Oddly it says "Enabled" for the firewall status.  I assumed this meant it was reporting the Windows XP firewall active, but since then I'm guessing this column is reporting for the Symantec firewall only?

Since then I have been getting a combination of "Disabled by Policy" and "Enabled" on XP and Windows 7 machines in any group I add a machine, with no common denominator.  It seems the Windows Firewall is still running on all machines which is what I want for now, but the reporting is not right.

So as a newbie, can someone please explain to me the difference in disabling the policy and withdrawing the policy (and the steps), as people have referrred to these actions.

Marty

Hi,

It seems this issue is fixed in SEP 12.1 RU4 but facing issue with later version also that's strange.

Thanks Chetan but I don't think this is the same bug. 

The description seems to describe the effect on clients in a group when disabling or withdrawing on an already populated group.  In my case, I disabled the Policy before installing the clients.  Plus they are showing "Disabled by Policy" or "Enabled", not "Disabled" which is the case when a firewall is disabled by the client.  All my Windows firewalls are active (although I will double check).

I've attached a screenshot so you can see what's going on.  I would expect all to show "Disabled by Policy".

If I find the time I might try a clean and reinstall on the "Enabled" clients and see if they report properly.

Hi,

I am testing it in my environment, I will get back to you ASAP.

Hi,

It shows SEP firewall status only, not Windows firewall status. I would suggest to verify NTP firewall status on the clients where it shows Firewall Status - Enabled.

Make sure clients have received the latest SEPM policy as well.

It shows SEP firewall status only, not Windows firewall status. I would suggest to verify NTP firewall status on the clients where it shows Firewall Status - Enabled.

Make sure clients have received the latest SEPM policy as well.

How do I check the NTP firewall status?

Still, the policy versions all show the same, and since SEP was installed on all machines after the policy was initially disabled and has not been changed since, they can't be any other version of the policy.

Hi,

Refer this article.

https://www-secure.symantec.com/connect/articles/how-modify-installed-features-individual-client-enterprise-edition

Thanks Chetan for the article

It didnt work for me.  After selecting "Modify", I don't get a dropdown list of core components as described.  Instead I get a screen that has a choice of "Standard Protection" or "Basic Virus and Spyware Protection".  Presumably this is because I have SBE not Enterprise.

No matter.  I figured out if I opened Endpoint Protection under NTP options, it shows the Firewall disabled and greyed out, meaning the Policy is enforcing the "off" setting I presume.  On a few clients I checked they were all the same so I expect it is a reporting problem not a setting problem.

I'm going to double-check my Windows Firewall exception again, but I'm thinking it might be time to log a support ticket.

Yes, I would also suggest to log a case now. If possible please share the case number with me.

Problem solved without a support call.

Today I had a user ask to add an exclusion to the scanning, so I modified the policy to add a file extension exception.

As soon as the updated policy deployed to the machines, all the hosts showed the Firewall as "Disabled by Policy" as expected.

Seems strange since the previous policy version was current and working correctly on the endpoints.  Simply updating the policy (probably with any change, not necessarily firewall) to force a new version ID seems to have refreshed the database.

Perhaps there was a database integrity issue of some kind which had the fields wrong and had now re-writen the table.

Oh well, hope this helps someone else.

Thanks for the update & good to know issue has resolved. Probably we should have tried to repair the SEPM as a troubleshooting step. :)