Endpoint Protection

I have configured firewall rule to block ip address 10.33.1.100 (example) for both inbound and outbound. so I think anything goes from 10.33.1.100 should be blocked by all sep clients. which is blocking also but  clients shows a message for Active response intrusion prevention stating that ip address 10.33.1.100 has been blocked by sep for 60 seconds.

Now my question is while I have a firewall  rule applied which states that all communications from 10.33.1.100 will be blocked by the firewall then why this ips message appears on clients.

which one is first line of defence  firewall or IPS

Hi,

       Please check the links below which explain the feature and working of Firewall and IPS.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348...Firewall

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032011043948...IPS

Hi Sandip

               Sorry but have you checked the links you provided They are no mare man.Can you give an updated link that works

Hi,

       Sorry for that....

Please check the links below which explain the feature and working of Firewall and IPS.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348       Firewall

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032011043948       IPS

Still Confused

      which one blocks first firewall rule or IPS signature

It depends on the direction of the traffic.

If the traffic is outbound from the client, it will hit the IPS engine first, then the firewall.  If its inbound to the client it will hit the firewall first, then IPS.

hth

Thanks paul
          If firewall is first for inbound then can you answer my post below
https://www-secure.symantec.com/connect/forums/ntp-updated-firewall-rule-not-working-some-clients