Endpoint Protection

Hello folks,

I am running SEPM 11.0.5 in a Windows 2008 Server R2.

Is there any way I can tell witch clients are running the SEP firewall in my SEP domain?

Thanks in advance.

Ray

Check here.

Hi Ray,

In the SEPM, go to the clients section. Select your client group. On the right-hand side, with the Clients tab selected at the top, look for a View dropdown. Set this to Protection Technology. In this view, look for the column "Firewall Status". This will indicate if the SEP client's firewall (Network Threat Protection) is enabled or not.

For a more comprehensive query, go to Monitors > Logs. Select the log type "Computer Status." This log type will show all machines that have checked in with the SEPM in the past 24 hours (the default time range) and will show which protection technologies are enabled (Antivirus, Network Threat Protection, etc.).

I am a bit confused, I looked at the Firewall Status column as you guys suggested, the status is enabled but when I check those workstations the windows firewall is on (as mandated by our GPO) and the SEP firewall is off (as it should be according to our company  policy). Why are they showing “enabled” in the console when the SEP firewall is actually off? Can I tell witch firewall is actually enabled SEP or MS? My goal is to make sure all our clients are using the windows firewall.

Additional information;

All our clients have the following components installed and the firewall policy auto generated when I installed the SEPM is disabled.

Antivirus and Antispyware Protection

Proactive Threat Protection

Network Threat Protection

 Thanks guys!

The status in the SEPM indicates that the Network Threat Protection component is enabled for the client. Perhaps the firewall policy is disabled within the SEPM? Are users turning off Network Threat Protection?

Take a look at this document. This might be the best way to go if you do not want to use the Firewall portion of SEP, but still want to have Intrusion Prevention enabled.

http://www.symantec.com/business/support/index?page=content&id=TECH95347&actp=search&viewlocale=en_US&searchid=1288303041196 - Best Practices Regarding Intrusion Prevention System Technology.

This document has instructions for withdrawing the firewall policy from a client group, while still allowing the Intrusion Prevention System to function.

I think there is no way to tell , if the  firewall in ON or  OFF, from SEPM. It would only show, if  NTP is installed  or niot. So, if  you  have NTP component installed, but the firewall policy is disabled, like in your  case, SEPM would only say enanled  for Firewall, as NTP is installed. If you remove  NTP, then it would show Firewall status as not enabled!

If you have turned off the NTP from the policy it will be off on all the clients..However you cannot exactly if its on or off from SEPM

However if you can query the registry of the clients then you can check this

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

smc_engine_status  0 – means turned OFF 1- turned ON.

Thanks guys, since there is no way to tell in the SEPM console which clients are using the SEP firewall, I created a configuration baseline in the "Desired Configuration Management" of System Center Configuration Manager to look for the registry information provided by Vikram. It is a bit of work but it works.

Is this key the same no matter of the OS I.E. Windows XP, Windows 7, Server 2k8, (x32 & x64)?