Endpoint Protection

I'm trying to properly set up the Symantec Endpoint Protection 12.1 RU1 firewall on an unmanaged client, and I cannot seem to do so.

After setting up my basic rules, I want to create two final rules -- allow all outgoing traffic, then block all traffic.  This should allow all outgoing traffic (and, because of the stateful firewall, it should allow all responses to that traffic) while blocking all unsolicited incoming traffic.  However, I can't seem to do this with unmanaged client firewall rules.

To set up that first rule, I would create it as:  "Allow" action, all hosts, Ethernet protocol (blank/all types), OUTGOING direction only.

The problem is that the SEP firewall does not allow a CLIENT rule to set the protocol direction for the Ethernet protocol; it forces the direction to "Both".  SEPM allows you to set the direction, but that doesn't help because this is an UNMANAGED client.

Does anyone know if there's any way to set the direction for the Ethernet protocol in a client rule?

Please do NOT simply state that the default configuration is to allow all traffic.  I don't care what the default configuration is.  I want to explicitly create the rules so that I can be sure they are set up exactly the way I want (allowing ONLY what I want, and not allowing anything I don't want).

Hi,

I think Unmanged client we dont Manage withSEPM Server.

Hello,

Check this Article which may assist you with Firewall Rules on Unmanaged Client:

Firewall Policies on Unmanaged Clients

http://www.symantec.com/docs/TECH105725

Manually enabling network file and printer browsing for unmanaged Symantec Endpoint Protection 11.0 clients.

http://www.symantec.com/docs/TECH102586

I don't mean to sound rude, but did you even read what I wrote?  It doesn't seem like it since your reply has nothing to do with my question.

I know how to create a rule; the problem is that the unmanaged client does not allow you to set the direction for the Ethernet protocol when you create the rule.  It allows you set the direction if you choose the IP, TCP, or UDP protocol, but not when you choose the Ethernet protocol.

I appreciate the attempt to help, but if the reply is unrelated to the question asked, then it's not helpful.

Hello,

I understand. My Mistake. It happens when we try to assist too many Threads at the same time.

This seems to be by design.

In your case, I would suggest - Before selecting the "Ethernet" protocol; change the Traffic Directions first as required and then select the "Ethernet" Protocol and then the Ethernet type.

Hope that helps!!

I did try changing the direction first and then selecting the Ethernet protocol, and when the rule is created, the rules list does show it as outgoing only.  Unfortunately, when you close the list and re-open it, the direction is shown as "Both".  Somewhere along the line, SEP automatically changed the direction.

I don't understand why SEP doesn't allow you to set the direction on an unmanaged client.  Using SEPM, you can set the direction in a policy rule.  It doesn't make sense that you can set the direction in a policy rule, but not in a client rule.

Hello,

I have created an IDEA (Enhancement Request) on your behalf.

Let's Promote this and I hope this feature could be enabled in the upcoming Versions.

https://www-secure.symantec.com/connect/ideas/unable-set-directions-ethernet-protocol-unmanaged-client

Hope that helps!!

To implement the two final rules you want but simultaneously having the possibility to create client firewall rules, the following should work:

• Create a new empty group on your SEPM.
• Under Client > policies, switch to Mixed mode (to keep both SEPM and client FW rules)
• Create the FW policy with the two rules (Allow and Block) below the blue line. These rules can be the only rules in the policy. For testing, it's a good idea to enable logging (traffic log).
• Now create a package of an Unmanaged Client. Under Admin > Install Packages > Client Install Packages > Export ..., select your settings, particularly choose "Export an unmanaged client" and "Export Packages with the policies from the following groups" and check the new group.

• Deploy the package (Home > Common tasks > Install protection client > Existing Package Deployment, and follow the wizard)

Now you have an unmanaged client with two FW rules that always will be used after the rules defined by the user. You cannot see or change these rules, but you can see their results in the traffic log (if logging is enabled).

Hello,

I agree with Greg's workaround. Worth Trying...

Creating a Unmanaged package with Custom Policies. Check this Article:

Creating an installation package for unmanaged clients with custom policies.

http://www.symantec.com/docs/TECH105320

Hope that helps!!