Endpoint Protection

Quick question.

In the policies we can see a Firewall policy and an Intrusion Prevention policy.




If I only install the Antivirus and Antispyware Protection on the clients, does it mean that the Firewall policy and an Intrusion Prevention policy will not take effect? (meaning it won't matter how I configure them)



Thanks
Vic

IPS and client firewall
In order to enable IPS, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/a4b2056057ad5362882576070077598e?OpenDocument

 That is correct .
Policy and feature are 2 different things.

If you do not have Proactive threat Protection and Netowrk Threat Protection installed then it doesn't matter what policies you apply for firewall,IPS,Application and Device Control and Tuscan it doesn't matter.

Vic,
You are correct.

If I may further add a few comments which may save you some time/headache down the road.   If later on, say six months from now, you want to begin using the firewall or IPS I believe you will need to do a complete re-install of the software on the client.  Thats because the firewall and IPS components (or modules if you will) were not installed when you only checked the box for antivirus/antispyware.   In addition, after the re-install you are going to need to reboot your clients for the firewall and IPS components to be activated.

I recommend installing all of the components (modules) with the initial rollout, as well as a reboot to active them.   This way the components are on the client, ready to go, and you don't have to worry about re-installing if you find an urgent need to say block a website using the firewall. 

Remember that even though the components are installed and activated on the client they are not actually in use until you assign a policy to a group.

Hope that helps,
Fred

That is very good info.

Let's say I install all the components right away on the clients as ohio_navigator suggested. How would I go about disabling the Firewall policy and an Intrusion Prevention policy?  Would I have to withdraw them?

 For the Firewall policy yes you will have to either withdraw them or add a blank rule in it ( Allow All )
In the IPS policy there is check box to disable it.

So if I uncheck the Enable this policy checkbox from the IPS, the settings portion of the policy will be irrelevant? (It will not matter what is checked in there)

 IPS you also have Port scan and Dos attacks you need to disable them also by unchecking them and yes blocking period and exceptions won't matter..

One additional comment.  I have found that each time a firewall policy is added or withdrawn from a group that the clients lose all network connectivity for ten seconds.  (I believe there is a KB document about that).  Its enough to drop connections such as ssh, ftp, Exchange etc which can be a little troubling to end-users if you know what I mean.  Its enough of a drop to generate calls to the helpdesk.  However simply modifying a firewall policy that is already added to a group does not cause such a drop.  So for clients that I don't really want to have an active firewall I went ahead and added a firewall policy to their group.  But there is only one rule in the firewall policy -  permit all.  If I ever need to make a change I can do that to the existing policy and the end-user will never know (okay they may know that I blocked a web site but won't have a complete network disconnect).

Thanks that's great to know !

So even if the IPS policy is disabled (The Enable this policy is unchecked) I still need to uncheck the option in the Settings section? I find that very strange..

 If you uncheck enable this policy then everything will be disabled...however if you went inside and disabled only IPS then you need to disable rest of the things as well...

Sorry if i had confused u earlier :-)

You said: "however if you went inside and disabled only IPS then you need to disable rest of the things as well..."

Do you actually mean if I went inside and unchecked the Enable Intrustion Detection checkbox?

 Yes..thats correct

Thanks a lot  !!
Now it makes perfect sense :)