Endpoint Protection

I have been installing 12.1 RU2 on a couple of my servers as an initial test before I upgarde all them, and I have been noticing that during the 12.1 RU2 install, it is disabling the WIndows Firewall, and it stays disabled after the install finishes. 

I do not run the firewall on my Endpoint client set up.  I have install packages that have Antivirus/Anitspyware and Proactive Threat Protection only.  The servers I am seeing this problem on are 2008 R2 servers. 

I installed it on my Windows 8 desktop, and a Server 2012 server, and it did not have this problem, however, those of course didn't have a previous version of SEP on it, and were only running the built in Windows Defender.  Anybody seeing this problem?  This is a big problem for me in my environment.

This is a similar issue:

https://www.symantec.com/business/support/index?page=content&id=TECH184409

Although this KB article shows it's for Windows 7. I would put in a support call to get this looked at.

I also just did a client install on 2008 R2 where I only had AV/AS configured, and it stil disabled the firewall.  Looks like a call to support is needed sadly.

I've seen it where it enables the firewall (as we have it disabled) and in the past it has always been a code fix. But support is your best shot here.

I created a case.  Hopefully they get back to me with a solution other than waiting on the next release.  I am not going to spot check over 400 servers, and this will put us behind on our full Server 2012 deployment.  :(   Can we just once have a Symantec release where there isn't a major headache in a simple AV client update?!

Hello,

As a Best practice recommendation it is always advised to use only one software Firewall on a computer. Two software Firewalls running on a computer might drain resources and the both software Firewalls might have rules those might conflict with each other. Enabling more than one Firewall program is likely to result in conflicts and poor performance. 

To prevent the above situation Symantec Endpoint Protection (SEP) installer automatically detects and disables Windows Firewall if enabled. Exception to this would be that if SEP is installed without Network Threat Protection (NTP) active Windows Firewall will not be disabled.

Reference: 

Best Practices for using Windows Firewall with Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH196975

Hope that helps!!

That is the problem Mithun!  As I stated above, my packages do NOT include NTP!  And it's STILL disabling the Windows Firewall!!!

Here is the response I got from support....this is not the way to go Symantec!!!

-------------------------------------------------

Even with SEP Network Threat Protection not included in an install package, Windows Firewall is disabled when a SEP client install is deployed. This is hard-coded into the SEP product, and unfortunately not configurable.

In order to get around this, you'll have to manually enable Windows firewall after the client is installed, or create a GPO to enable the Windows Firewall on the machine you want it on.

 -------------------------------------------------

 

So, looks like the changed the behavior in 12.1.2?  I don't like it!

 

Mithun, I have a support case number if you want to look.  The link you posted states this should not be happening in 12.1.

Wow, that's a pretty bad answer from Support!! It was working fine in all previous versions of SEP12.1 !!!

I'm running into the same problem at my organization. :( 

Come on Symantec Engineers - Fix it with a patch NOT a new product update or release!! Please.

Almost makes me want to jump ship to M$ Forefront (or whatever it's called now) It's free for us too!!

Here is the guys updated response (he is trying to be helpful at least now), although this solution will still not work for us 100% as we do have exceptions out there to running the firewall, such as hosted servers where firewall needs to be off due to vendor requirements (or even apps with dynamic ports and the vendor doesn't document anything), and Server 2003 servers which offer not dymanic port settings through GPOs, and this is needed for our backup softwrae to work, so for 2003 servers we still have running the firewall is off.  But we still have them, and always have had them since version 11, in the same SEPM groups with other Windows Server versions like 2008, 2008 R2, and now 2012.  I also, do not like you have to wait for it to reboot.  If you push clients, and delay the reboot to after hours, or the weekend, there will be periods where your servers are NOT running with any firewall at all.  This change in 12.1.2 makes no sesnse to me:

----------------------------------------------------

After some testing, I see there is a way to re-enable the windows firewall using the SEP firewall policy on the SEPM.

In the SEPM, go to the Policies tab.

Click Firewall, and right-click the firewall policy, choose edit.

On the left side, choose Windows Integration.

Under the category "Disable Windows Firewall", choose "restore if disabled".

This will require a restart to finish enabling the Windows Firewall, because this is a startup command.

After you are done with these steps, before clicking OK, go back up to Overview on the left side. Click the Used By tab. Assign this policy to all groups, or the groups that need Windows firewall enabled. Click OK.

 

*******************************************

In order to export a client install package with these above settings included, so you can have this configured next time you push a client upgrade/install from the SEPM, do these steps:

Click Admin tab. Click Install Packages.

Right click a client install package, for example Windows 32bit. Choose Export.

Choose a group under Export Settings that has the above firewall policy. According to my testing, all of this should work fine even without Network Threat Protection component installed.

Well, the guy on my case wants to close it already as he thinks this is expected behavior.  But I am pushing back.  From waht Mithun linked, SEP should not disable the Windows Firewall unlese you deploy NTP in the package.  Since I am not, then I am saying bug.  Will see if they respond differently.

OK, pushing back worked after I linked them to the article Mithun posted, it's a bug, and now we have to wait and see:

------------------------------------------

I was able to reproduce the issue you are facing, even with the firewall policy withdrawn completely, and of course NTP not in the package.

I am currently escalating the case 'higher up the chain' to get a bug track and hopefully, a future fix going for the issue. I'm keeping the case, just making it known to engineering that a bug has been discovered.

I'll update you as soon as I have more information on the status of the bug tracking.

Nice. Good work and thanks for sticking with it!!

Again, my point earlier was that Symantec made it possible in SEP12.1 to have the NTP module on without the FW module enabled. It was working perfectly fine in 12.1.0 and 12.1.1.

Hello,

Could you Please PM me your Case number so that I could look into this immediately.

I would like to have a look at this issue.

Hope that helps!!

As u mentioned Mithun,

only the full package will disable the FW not the only antivirus

This is a pretty ridiculous bug and makes me wonder about the QA testing at Symantec since we waited so long for 12.1.2 anyway. 

 

Even with the following settings we are still seeing calls about the firewall being off.

 

 

I am really hoping for a soultion that isnt "wait until the next patch" because there are a lot of great things in 12.1.2 we want to use.

I understand what you mean.  We were waiting for 12.1.2 for so long.  As it plans right now, until there is a fix, everything that is currently deployed will stay on 12.1.1.  New installs on Windows 8 and Server 2012 dont' seem to have the problem where the firewall gets disabled for whatever reason.  Seems to happening when upgrading from a previous version.  At least thats what I have found so far.

So after spending some time working on this today what it is doing is turning back on the Domain Network Firewall but not the Home or Public network firewall and is causing the flag to pop up on some machines.

 

 

You need to turn back on the firewalls using the "Use Recommended Settings" button with an administrator account.

Firstly, thanks to JGamblin for pinging me on this one via twitter.  I've had our engineering team take a look and while we do have QA steps for this, they may not be testing post upgrade (just a new install) and its also quite early in our dev cycle that the tests were run.  We are looking into this, but have proactively created a defect internally, if you have support add your cases to this etrack: 3012201 then we would be very grateful!

thanks

Is this the default behaviour to disable the builtin Windows Firewall when SEP client is installed on the workstation ?

John, I think it's only the default behavior if the package you are installing includes Network Threat Protection since it's a bad idea to have two firewalls running.  But if you aren't installing that piece of SEP, it should leave your current Windows Firewall settings intact.  However, with 12.1.2, it's not, so it's a bug they are working on.  I haven't had any more requests for logs, etc from support, so I am taking that means they have what they need, or they know to have experienced the same thing and are working on a fix.  But sadly, things like this means it will have to be addressed in code, and we have to wait for the next release to get it fixed. 

Mithun got my information last week as well, so I know more than just one person in the support team is looking at this.

 

This appears to affect Windows 7 as well - or it would, if we were not pushing out Firewall policies via GPO.

Running "netsh advfirewall show allprofiles" from the command line on a Windows 7 machine that has been upgraded to SEP 12.1.2 shows all firewall profiles as set to "OFF", while the GUI shows it as being "ON" in this scenario (GPO forcing firewall on, post upgrade of SEP).  We have verified that in this state, the firewall is on, despite what netsh tells us.  You can use the command "netsh advfirewall set allprofiles state on" to turn the firewall back on on your servers.

Ah yes you are right, because in my server deployment I didn't deploy the NTP component and it seems to be working just fine, but for the workstation I deployed all of them completely.

Let me know once you know the solution from SYmantec.

Same issue here.  This is a MAJOR issue!  Almost as bad as when it brought down my entire network after the initial release and name change to Endpoint Protection.  Any updates on this latest issue?

Same issue here. Upgrading from 11.0.7200.1147 to 12.1.2015.2015. Windows XP SP3, Windows 7 SP1 32 and 64 bit, Windows Server 2003 all affected. If the old client is manually uninstalled, then the new one does NOT disable the Windows Firewall, otherwise, it is left disabled. Fresh installs are fine too. The package is the default package with features turned off via Client Install Feature Set (NTP is turned off). Please keep this thread alive.

No, I have not heard a thing from support.

I opened a support case, but it has been worthless.  The support person doesn't seem to understand the issue, and keeps directing me to this page: http://www.symantec.com/docs/TECH196975

They are telling me that it is a work around for this problem, and then I explain (once again!) that I am not installing, nor ever have, installed the NTP module, and that it happens on an upgrade, etc.

I have quoted the symantec employee up above with the internal etrack number, but support seems clueless.

This is unacceptable, and is proving to be most frustrating.  I've been able to work around it by setting a GPO to force the firewalls on (which I already had on my clients, but not on my servers).

It seems ridiculous that Symantec can't seem to acknoledge this easily reproducable problem.

I suggest you forward this connect link and highlight that Paul M has posted the etrack and your case needs to be linked (assuming the issue is the same).

Hi All,

Thanks for the comments - some support folks are adding cases to the defect - we already have a couple linked - so the messages are getting through.

Our QA team have investigated this and can reproduce the issue on upgrades.  It seems to be related to this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE\WindowsFirewallState if its set to 14 prior to upgrade, things seem to work OK.  If its set to 0 prior to upgrade, the Windows firewall is disabled.

We are having our installer team take a look at this and see what can be changed.

More info as I get it.

thanks

I have, multiple times.  That is part of what is frustrating.

Thanks for the information.  Please keep us posted as we want to roll this out but can't because of this!

I'm seeing this as well. I hope an update is in the works quickly!

Paul, did you mean set to 1? It is set to 0 on my clients.

Interestingly, the Symantec Support tool (SymHelp) says the following prior to the upgrade: The Windows Firewall is enabled, but its settings are being managed by Symantec Endpoint Protection. This is somewhat unexpected since Symantec firewall is not deployed.

 

Oh, it gets better!

For this case to be attached to the E-track numbner I would require the SST log of the affected machine.

Once I receive the logs  I would share the same with the Advance Line technician. Once he goes through the logs he would be able to do the needful.

That is a direct quote from Symantec support.

Like there is a single affected machine, like this is hard to reproduce, so they need to gather logs.  Facepalm.

 

Oh, and "do the needful"?  Really?

I can confirm the same problems, windows firewall is disabled during the upgrade process from 12.1.1 to 12.1.2 in a mixed environment of WinXP, Win7 32/64bit and remains disabled until manually enabled.  As others have already stated we do the same, our install package does not include NTP as we did not have NTP in previous version as we do not want to use NTP modules at this time, rather use windows.  Furthermore, resolving this issue by either a GPO or some type of reg fix is unacceptable, Symantec should not be releasing an untested product.

Hi Paul,

Sure to confirm, on our system running 12.1.1 the registry value is set to 0 however I cannot change the value to 14, keep getting error "Cannot edit WindowsFirewallState: Error writing the value's new contents."

Dave

Same issues for my deployment. All past versions had the same installation policy, which did not include NTP, and the Windows Firewall was not disabled.

With the latest build 12.1.2, with NTP still not being installed, we are seeing the Windows Firewall being disabled. This can be a pain as people call the helpdesk saying they need Administrative rights to turn it back on.

With many of the users being mobile they don't always get the GPO to re-enable the Windows firewall.

what is the current status on this issue?

I see a kB article stating the issue occurs on upgrade from SEPv11 to SEPv12.1RU1 and here in the thread the issue is about upgrading towards SEPv12.1RU2.

We need to start our upgrade from SEP11 to SEP12, but I have put it on hold untill I get more info about this issue.

has it been resolved? has it been cleared out allready when it appears?

 

Kr,

Frederik

Any updates?

I'm curious about how this is going to work when there is a fix. We haven't loaded RU2 because of it. I know if the fix comes in a maintenance patch, we'll need to push out RU2 which breaks the firewall, then roll out MP1. Is there any chance of a RU2a?

I was the original person who opened a case on this to Symantec, and I have heard anything back from them at all.  ZERO!  

Unfortunately, we are plagued by this issue, also.

I just realized it today after several critical servers were reporting the Windows Firewall is turned off.  We intentionally removed the NTP on the SEP client after having some big initial problems (BSOD on Hyper-V clusters, etc) with that component of the client.  I didn't even think this would be an issue, since I've removed the NTP from the packages since then.

I would love to know the resolution to this, now that I have to manually spot check all of my servers to ensure the firewalls get turned back on...

The suggestion to set the option in the SEP console to re-enable the firewall would be great!  But you have to reboot for it to work, which is unacceptable on production servers.  To make it sting even more, reading the other posts shows this doesn't even truly work, so you STILL have to manually enable it.

Awesome "feature" Symantec!

What we ended up doing was spot checking the servers. Even with a group policy enabling the firewall, SEP disabled it and a reboot would re-enable the firewall.

So if you don't want to wait for a reboot to re-apply your GPO, then you have to manually turn the firewall back on.

We recently submitted a data capture report to Symantec Tech Support from upgrade 12.1.1.x > 12.1.2.x documenting the disabling of firewall.  Symantec continues to acknowledge the bug, however has yet to offer a fix other than suggestions to address this by GPO or other non-Symantec remedy to re-enable the firewall.  That said we are in holding pattern as this would impact thousands of our systems.

I received an e-mail from a Symantec engineer earlier today that states this issue would be resolved in the upcoming version of SEP 12.1_RU3. Anxiously awaiting it ;)

I just got around to installing SEP 12.1 RU2 on a few desktop clients (Windows XP Pro SP3) and have noticed the number of Disabled endpoints is growing in the Home screen Endpoint Status window.  The "Firewall Status" says "Disabled".

For what it's worth my desktop clients have NTP installed and enabled.  Their SEP firewall policy is not enabled (the policy checkbox is UNchecked) while the clients are on the network.  Yet they are now showing as having a firewall disabled status when they're not supposed to have the SEP firewall on at all.  And on the client if you open the SEP console and go to Change Settings > Network Threat Protection Configure Settings it shows a check mark in Enable Firewall.  This should be UNchecked because the policy is not enabled.  This is happening on older clients (12.1.1000.157) (because they've yet to be updated).  The few RU2 (12.1.2015.2015) clients I have installed show the NTP Configure Settings "Enable Firewall" box UNchecked.

FYI -

If you do a scripted 'un-install' of either v12.1 SEP client, restart and then re-install it w/o the Network Threat Protection (NTP) component, the issues w/ the Symantec 'firewall' blocking various things is resolved and the Windows Firewall (enabled on all our PC's) is fine/in control.

hi,

we also stoped deploying 12.1.2 when we noticed the strange firewall beheviour.

to summerize,

when we upgrade from 12.1.1. to 12.1.2 we get notices from win action center that firewalls are off.

looking at the control panel win_fw seams on and under the control of SEP.

looking at the SEP gui we notice NTP is still deployed but enable check mark is absent.

at this point we need away of understanding which fw are on.

i would also like to know how to activate aleast one fw perferably NTP and preferably a SEPM policy while waiting for a fix so that we can restart deploy.

grateful for any advice

I have noticed this also.

Trouble is we only use the SEP firewall under certain conditions on laptops.

So when these conditions are not met the Windows firewall is up (well it used to be)

To my users then they have NO FIREWALL most of the time and this is unacceptable!

Can I push 12.1.1 MP1 back to these clients via the console?

Will that work?

Where is the support on this matter!!

You can set up a script to run the command "netsh advfirewall set allprofiles state on" to turn the firewall back on. 

 

It only gets turned off the once, during the upgrade from the previous version, so that script only has to be run once against each device.  Or you can turn it back on via GPO.

hi,

thanks for the reply.

is there anyway we can set this via NAC compliance?

 

hi all,

speaking to support i was given the impresssion that the fw will only be active if a fw policy is assigned to the location in question.

also firewall states can be checked via sym help tool.

states are: installed - enabled - active (rules enabled)

 

Thanks for that Wapiti.

It shows as being on if I run "netsh advfirewall show allprofiles" but in control panel shows as off and managed by SEP.

 

In my situation the firewall policy was not enabled, and network threat protection was not installed with the update but the installer still disabled the firewall. Luckily we deploy the windows firewall settings via GPO so it is still enabled. 

In the control panel view it shows as enabled.  The command netsh advfirewall show allprofiles shows all profiles in an off state though.  I did a port scan on random clients to verify that the firewall was indeed turned on though and it was. 

The bottom line is that the upgrade path will disable the windows firewall.  A new install will not.  This needs to be added to the Known Issues for 12.1 RU 2 client installs. 

My company might be switching to Microsoft Forefront for antivirus in the near future though so this might be a mute point.

Hi

Symantec is aware and investigating this issue.  This document will be updated as more information is available.  To work around this issue, uninstall completely, the previously installed legacy SEP client.  Perform a clean, non-migrated installation of Symantec Endpoint Protection 12.1 RU2 client.

For more information please refere the link below.

http://www.symantec.com/business/support/index?page=content&id=TECH200415&actp=search&viewlocale=en_US&searchid=1361424657306

Regards

 

 

We already considered this option... a poor option when the SEP Manager Remote Console is already in place as a deployment tool.  Performing a clean uninstall renders our ability to utilize Manager Remote Console, requiring fall back to GPO or other scripted re-deployment.  This is just another work around for a poorly crafted release of 12.1.RU2.

Once again, nothing back from support yet as far as being the first person who submitted this issue.  My case better still be open.  I haven't looked though.

Hi

Try repairing the client

Regards

 

Not a solution sameer.  We want to remote deployment/upgrades.  I am still just not deploying RU2 because of this one bug that should have been caught in development.  Hopefully next version fixes it, and doesn't break anything else like this.

Word from my engineer:

"Engineering is working on code fix. Targeted for RU3 Release - June 2013.  I will notify customer of pending product release.  Customer needs product fix in RU3 to resolve issue."

Hard to believe we have to wait well over 6 months for a fix.

I believe we are also porting this fix to RU2 MP1, due in March.. let me confirm..

Confirmed, this will be in our RU2 MP1 release, due this month.

Sameer,

Please carefully review this complete string of comments and understand that a real bug was found with 12.1.2015, we are aware of the bug and asking for an answer as to when the fix will be released.  We are aware of the many work arounds however none of them address the basic needs and function of client deployment via console.  Your comments are wrong and misleading.

So what would be the supported way of doing this? It seems that going to MP1 from RU1, you have to break the firewall first, then apply the fix.

Well Paul, my engineer isn't keeping in contact with me very much about this. Awaiting RU2 Mp1. Almost the end of March, still hasn't been released.

Should be available later this week, I think we are RTM'ing later today.  A couple of late fixes held it up a little, my apologies.

Paul, is there going to be official guidance on how to apply the patch for systems still on RU1 to mimimize the firewall issue? Since its not an RU, I'm assuming you have to break the Windows Firewall before the fix, unless we just wait for RU3 in June.

It is confirmed that this issue will be fixed in Symantec Endpoint Protection 12.1 Release Update 2 Maintenance Patch 1 (SEP 12.1 RU2 MP1):
 

Installing any Symantec Endpoint Protection package without the firewall disables Windows Firewall
Fix ID: 3063585
Symptom:  After installing Symantec Endpoint Protection with a configuration that installs only Virus and Spyware or Proactive Threat Protection, the application still disables the Windows Firewall.
Solution: Updated the installer conditions to properly recognize previously stored Windows Firewall states and the install or removal of Symantec Endpoint Protection firewall components.
 

Hi,

But if I install a package with NTP (2015.2015) and the Windows firewall is still enabled.. This is correct?

 

Regards,

What is the full version number of this release (12.1. RU2 MP1) is it 12.1.2015.2015?

That is 12.1 RU2

Don't think a version number has been released yet for 12.1 RU2 MP1

 

It's 12.1.2100.2093.

Release notes are here:

New fixes and features in Symantec Endpoint Protection 12.1 Release Update 2 Maintenance Patch 1
http://www.symantec.com/docs/TECH204685 
 

The client-only patch can be found here:

Symantec Endpoint Protection 12.1 RU2 MP1 Client-only patches
http://www.symantec.com/docs/TECH204859 
 

Hello Mick2009

When will be SEP RU2 MP1 available fileconnect.

 

Yeah, I don't see it on FileConnect yet either. Hello, Symantec!?

Here is an article with more information:

https://www-secure.symantec.com/connect/blogs/latest-symantec-endpoint-protection-released-sep-121-ru2-mp1

Mick2009, it's not showing/available via/ FileConnect w/ either of my licenses. When will it be available? Later today perhaps?

Hello,

Are you using the Symantec Protection Suite Enterprise Edition 4.0??

If yes, I am unable to see the Symantec Protection Suite Enterprise Edition 4.0 showing the SEP 12.1 RU2 MP1.

It may be uploaded in few days.

In case you are not using Symantec Protection Suite Enterprise Edition 4.0, you may see it within 24 hours.

Hope that helps!!

Hi

Please follow the link below:

http://www.symantec.com/business/support/index?page=content&id=TECH200415&actp=search&viewlocale=en_US&searchid=1366199460407

Regards