Endpoint Protection

Hey.

I've read the following article on Symantec regarding using Windows 7 firewall with SEP IPS: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120816110248

The article says that withdrawing the SEP firewall policy and activiating Windows firewall through GPO makes it's possible to use WIndows 7 firewall with the SEP IPS function.

I'm guessing that it's more complicated than that. I've tested and it doesn't seem that the Windows firewall will activate itself before I do a manuel Start/Stop of the Windows Firewall Service.

What I have done:
I have removed the SEP Firewall policy completly but the NTP component is installed on the client (RU6)
I have created a block rule on Windows 7 Firewall for telnet port 23.
Windows 7 firewall starts automaticly at boot.

-after normal boot I still get access to telnet if i try telneting from another computer even though the port is blocked in windows firewall. Action Center says Symantec handels the firewall
-when i later stop/start windows firewall. Telnet is blocked as designed. Action Center says two firewalls are running.  This is the option i Want.

So how do I get Win7 firewall and SEP IPS to work togheter from boot?

RTB

when you withdraw the policy , everythign is passthrough, its like not having it installed :)

when installed with NTP it always disables firewall needs a reboot or manual start to get it functional

Windows Firewall is still enabled after installing Symantec Endpoint Protection 11
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009011613172148

Hi.

If you read my post, you see that I've tried reboots. Only after manuel stop/start I get it working (even after several reboots)

Can anyone confirm that withdrawing SEP firewall policy and enabling the windows firewall works in Windows 7? 
I'm quite sure this works in XP and Vista. But can any one confirm that they get it working in Windows 7?

RTB

Hi. Thanks for your reply,

But I want to have the SEP IPS function activated and therefore disabling the NTP component is not very useful.

I need to have the Windows firewall and the SEP IPS activated. As described in: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120816110248

How do I achieve this with the Windows 7 Firewall. Does anyone have experience with this?  It seems like the Windows 7  procedure differs from Windows XP and Vista,

 

Hi. Thanks for your reply,

But I want to have the SEP IPS function activated and therefore disabling the NTP component is not very useful.

I need to have the Windows firewall and the SEP IPS activated. As described in: http://service1.symantec.com/SUPPORT/ent-security....

How do I achieve this with the Windows 7 Firewall. Does anyone have experience with this?  It seems like the Windows 7  procedure differs from Windows XP and Vista,

Just  for testing create a allow all policy and apply to the group and try....

I'm sorry. That didn't work.

The only way i am able to enable both firewalls  is to manually restart the Windows Firewall service. The windows firewall service is allready set to automatic and Windows firewall with advanced settings are enabled through GPO.

RTB

Have you tried implementing a logon script that restarts the Windows 7 firewall service? I'm just trying to think of potential workarounds. My hunch is that Windows is loading, starting the firewall service, then NTP's drivers are hooking in to the network stack and "overwriting" the Windows firewall. If you've found that stopping and then starting the Windows firewall resolves the issue, this might make sense.

I got the following reply from Symantec Support:

"If you want to enable Windows firewall Policy  in window 7, you  must uninstall the SEP NTP module.
In order to enable IPS, you must have the client firewall portion of Symantec Endpoint Protection installed.""

So I guess it doesn't work in Windows 7.

RTB

Well let me simulate this and see

If you notice the KB carefully, it has mentioned that NTP component must be installed with Windows firewall to achieve your requested goal.

Now, you would assume how can both work together? Well, you will be using Windows firewall for monitoring the traffic. However, IPS is a component of NTP, so you can't have IPS without NTP installed.

But to avoid NTP to monitor the traffic (doing same task as windows firewall), you need to disable firewall policy from Symantec endpoint protection manager as discussed in the KB.

By doing that, you will ultimately have following configuration:
Windows firewall - Monitoring traffic
NTP with only IPS policies - IPS signatures applied (no monitoring of traffic with no firewall policies applied)

Just to make it clear to everyone.

The KB mentioned. And the advice from Raunak is fully functional with Windows XP as i stated several times above. But with Windows 7 this sulotion will not work as the Windows 7 firewall won't allow two firewalls to run at once. Even if you withdraw the policy.

Please feel free to test.

RTB is right.

Looks Like Symantec might av fixed the issue in SEP RU6 MP1. I will test it when i get time.


Windows Firewall is always disabled by SMC service
Fix ID: 1992008
Symptom: The Windows Firewall is disabled even though a policy is in place that dictates it to be enabled.
Solution: If Symantec Endpoint Protection Firewall is disabled in a location, the Windows Firewall will be turned on. If Symantec Endpoint Protection Firewall is enabled in a location, the Windows Firewall will be turned off.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648