Endpoint Protection

So recently we upgraded quite a number of clients from SAV to SEP RU6 MP3 (AV&AS component only), somehow the Windows Firewall get turned on automatically after 1st reboot?

OS: Windows Server 2003 SP2

Default Firewall status : OFF

Firewall services startup: Automatic

Is there any Windows log which state which program has enabled the Firewall? Obviously we suspect it's the SEP....

regards

It used to in earlier versions but not now; After the first reboot do you see network threat component of SEP activated ? 

http://www.symantec.com/business/support/index?page=content&id=TECH97986&locale=en_US

when you create  the package make sure there is no firweall policy is applied to that group.

even if NTP is not installed , just appliying fw policy to group used to cause some issue.

check the domain policy

http://www.symantec.com/business/support/index?page=content&id=TECH91865&locale=en_US

Hi Rafeeq,

We're not able to see SEP NTP status after the first reboot..

The client itself is not local.... we installed SEP remotely via RDP...

Anyway from what i understand SEP with AV&AS only component won't change anything at Windows Firewall setting nor service... i do not think we applied any FW policy to the group.. will double check on that..

Hi Pete,

There's no domain policy to turn on Windows Firewall in our environment as far as i know...

Is there any other factor that we should be looking at?

One more thing, do uninstalling SAV will make Windows turn on the Firewall?

Any documentation on this?

Thank you.

Uninstalling SAV will not enable Firewall.Disable Windows Firewall from GPO so that it doesn't turn on automatically.

Vikram,

Your solution is viable. But why would we disabled the Windows Firewall when in our case it seems like SEP who turned it on...

Is there any log that we can check to further check and verify this?

Im curious if this issue coming from SEP bug/design? Had you ever saw people talking about this before?

Did  you install using Acive directory; ?

check the event viewer; it should have an entry for sep installed.see if it indeed disabled firewall (on/off)

lol.... the Support acutally informed us that it's new enhancement in SEP since RU6 MP1?

He explained that starting from this version any SEP without NTP component will have Windows Firewall turned ON automatically...

Refer fix id below:

Windows Firewall is always disabled by SMC service

Fix ID:1992008

Symptom:The Windows Firewall is disabled even though a policy is in place that dictates it to be enabled.

Solution:If Symantec Endpoint Protection Firewall is disabled in a location, the Windows Firewall will be turned on. If Symantec Endpoint Protection Firewall is enabled in a location, the Windows Firewall will be turned off.

http://www.symantec.com/business/support/index?page=content&id=TECH103087

So... did anybody realise or agree with this?

Hi ,

    It is true , i agree . One more point , it is an exception in windows server 2003 , windows server 2003 R2 even the firewall is off , the windows firewall / Internet connection sharing service will be running . 

I think they should put this on a KB, what stated in the fix is kinda explicit.

Imagine you just upgrade a server client from SAV to SEP remotely, you'll realiase that you're in a bit of trouble after the reboot as u're not able to remote back....  = ='

Anyone else have concern/experience on this?

Will GPO Firewall rule have priority over SEP settings?

Hi ,

   The SEP firewall have more priority than GPO firewall rule .

Hi Optimus,

Did you test this yourself? Is there any documentation on this?

Thank you!

Hi,

 THere is no documnetation on this ...

Hmm.. i dunno but what is theorical reasoning of this?

Is it because SEP firewall policy is 'local' it would have priority over GPO?

Anybody else have experince on this? thanks!

Back to the firewall part..

Ok somehow i did not agree the explanation by the support..... he said that it's a normal Windows behaviour to check and find for any active firewall... if it find it's turned off, it will turn it on?

Refer below:

....the test performed has proved that SEP installed with NTP will not turn on the Windows firewall on restart
>However if installed without NTP, it is a normal behavior of windows that the firewall will turn on by itself
>Explained that Windows will look for any active firewall that is installed, however when no firewall is installed it will turn on the default firewall of windows

Is this true?