Endpoint Protection

I am just completing a rollout of SEP client v11.0.5002.333 32-bit right across our network and am about 80% done.  So far no issues have been reported.  Everything running smoothly ...

... EXCEPT ...

I've noticed that after the SEP client has installed, Windows Firewall (which was ON) is now OFF on each desktop that has been upgraded.

We do not enforce Windows Firewall to be ON through Group Policy, however it is our preference that it should be ON.

We do not use the SEP Firewall (SEP Firewall Policy is NOT turned on).

However we DO deploy all 3 components of SEP on the client:  Antivirus and Antispyware Protection, Proactive Threat Protection and Network Threat Protection.

Am wondering why SEP is turning Windows Firewall OFF?  Its a bit of a problem for me, as I had only just completed a trip to all 14 of our sites, during which I had checked every PC and ensured that it was both updating its AV defn's and also that Windows Firewall was ON.

Now of course the firewall will be OFF on every machine on the network, which will be a pain to fix.

You mentioned that  "We do not use the SEP Firewall (SEP Firewall Policy is NOT turned on)" & "However we DO deploy all 3 components of SEP on the client:  Antivirus and Antispyware Protection, Proactive Threat Protection and Network Threat Protection". If you have installed NTP it is the Firewall component of endpoint and it is active. The PTP feature is not supported on Server OS even if you install, it will remain OFF.

Regarding the Windows Firewall component You can set a  Group Policy which enables the Windows Firewall after logging out and back in or when the computer is rebooted.  SEP 11 does not check the Windows Firewall state after installation.

Thanks for your reply.  I figured it might be something like that.  What then are the implications of running the SEP Network Threat Protection (a.k.a. SEP Firewall) but without any policy settings configured?  Will it be blocking anything; or will it be letting all traffic through?  (I think the latter, but am happy to be corrected).

Part of my problem is that I inherited this network fairly recently (a few months ago) and I have never worked with SEP before ... meaning that I don't know what I don't know ... and I worry that I am putting the network at risk as a result.  I have never touched the firewall settings, so the fact that a firewall policy has never been configured is something that predates me arriving here.  Therefore I don't know how long it has been in that state.

Thanks for the prompt reply. I understand your concern and we are here to help you out. The NTP feature of SEP should always be tested in a Test environment because as I mentioned it acts like a Firewall and has the capability to block both incoming as well as outgoing traffic. As of now in case things are fine I would suggest to keep the NTP feature installed as it will protect your network from Network threats. In case you have a perimeter Firewall or a Hardware firewall then the Windows firewall issue should not be of great concern.

Yes, we do have several other layers of firewalling:  one main perimeter network firewall (which governs traffic allowed into our broader network; plus an extra core network firewall (which governs traffic into the core of the network where our servers and head office functions are).

By what you said above, it sounds like SEP NTP will be giving the desktops some level of protection, even though it is not fully configured to work as a firewall.  Our perimeter and core network firewalls will be doing most of the protecting at the edges of the network.

So all I really need to do is (sometime soon) work on either configuring a working NTP Firewall Policy and deploy that, or alternatively, more rigorously enforce Windows Firewall to be turned on via Group Policy (I think this is probably the path I will follow).

Thanks for your quick responses.  Much appreciated.

I strongly recommend you have the firewall running with an allow ALL rule when computers are on your internal network.
NTP is required for the IPS functionality to work and I have been finding more and more often that the IPS is protecting against remote virus infections where the definitions aren't helpgul.

When computers are external to the office location I tend to run a policy similar to the XP firewall which allows all outbound traffic but blocks all inbound.
The stateful nature of the firewall ensures packets sent back as part of outbound comms are allowed.

Although in some cases I run a full configured firewall policy that specifically allows traffic per application and if you have the time this is certainly the best option.
Not too difficult if your sytems all use a standard operating environment.

cheers

Z

Thanks zer0,

Your post prompts a few more issues for me.  I think my problem can best be described as "that might open a can of worms".  e.g. if I deploy a default policy which is "allow ALL", then I mayl run into issues with notebook computers that are also used outside the network.  That will then lead me to have to deploy another firewall policy for those machines (and I will have to work out what machines are affected -- no mean feat, as this involves machines spread across 14 physical sites).

With Windows Firewall, I have previously:
-- turned it on for all machines and all LAN interfaces on those machines; then
-- configured various Group Policy settings to allow remote administration/support/desktop, file/printer sharing, etc (just within our domain) and so on

If I have to learn how to do this with the SEP Firewall Policies, I can see a fair amount of learning work and trial and error ahead of me, and I would like to avoid that.

So I am thinking that I will really just have to revert to one extra Group Policy that turns on Windows Firewall for all these machines (with a handful of exceptions that require it to be OFF because of application issues that I cannot work around at this time).

I would much prefer to use the SEP Firewall, but I think its probably beyond me right now from a learning and management p.o.v.

 The SEP firewall is 10x better than the Windows FW, with more configurable options and capabilities.

You can go as far in SEP to have when laptop users disconnect, to enable a more restrictive SEP FW policy, and when back in, it defaults to a blank policy.

It would be in your best interest to learn and utilize the SEP FW.

Sandip,

Your suggestion of using Group Policy to force Windows Firewall on is the approach I've been using with all of our Vista and XP computers for some time now.  However, I'm seeing different behavior on Windows 7.  While the Overview in the Windows Firewall with Advanced Security console shows the firewall enabled for all three profiles, there is also a message stating that "These settings are being managed by Symantec Endpoint Protection."  Normally, this would show that some settings are being managed by Group Policy.  Under Monitoring, I can confirm that no firewall rules are being applied.  We are in a similar situation of wanting the benefits of NTP's Intrusion Prevention feature while utilizing the existing rules that have been defined and tested for Windows Firewall.  In the Action Center, if I go to view the installed firewall programs, though both products are listed, I have no ability to disable SEP, nor do I have any ability to enable Windows Firewall, as the buttons are grayed out.

While I could try to migrate all of our existing settings over from Windows Firewall, I would rather have the option than be forced into using one product over the other.  What do I need to do in order to be able to enable Windows Firewall under Windows 7 without removig NTP?

Ted