Creating a firewall policy

The
Symantec Endpoint Protection
includes a default Firewall policy with default firewall rules and default firewall settings for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments, where limited boundary protection is available.
When you install the console for the first time, it adds a default Firewall policy to each group automatically.
Changing the name of the default Firewall policy may result in an upgrade not updating the policy. The same applies to the default rules within the default Firewall policy.
Every time you add a new location, the console copies a Firewall policy to the default location automatically. If the default protection is not appropriate, you can customize the Firewall policy for each location, such as for a home site or customer site. If you do not want the default Firewall policy, you can edit it or replace it with another shared policy.
The following table describes the tasks that you can perform to configure a new firewall policy. You must add a firewall policy first, but thereafter, the remaining tasks are optional and you can complete them in any order.
How to create a firewall policy
Task
Description
Add new firewall rules
Firewall rules are the policy components that control how the firewall protects client computers from malicious incoming traffic and applications. The firewall automatically checks all incoming packets and outgoing packets against these rules. It allows or blocks the packets based on the information that is specified in rules. You can modify the default rules, create new rules, or disable the default rules.
When you create a new Firewall policy,
Symantec Endpoint Protection
provides default firewall rules that are enabled by default.
For more information, see:
Enable and customize notifications to users that access to an application is blocked
You can send users a notification that an application that they want to access is blocked.
These settings are disabled by default.
For more information, see:
Enable automatic firewall rules
You can enable the options that automatically permit communication between certain network services. These options eliminate the need to create the rules that explicitly allow those services. You can also enable traffic settings to detect and block the traffic that communicates through NetBIOS and token rings.
Only the traffic protocols are enabled by default.
For more information, see:
If the
Symantec Endpoint Protection
client detects a network attack, it can automatically block the connection to ensure that the client computer is safe. The client activates an Active Response, which automatically blocks all communication to and from the attacking computer for a set period of time. The IP address of the attacking computer is blocked for a single location.
This option is disabled by default.
For more information, see:
Configure protection and stealth settings
You can enable settings to detect and log potential attacks on the client and block spoofing attempts. You can enable the settings that prevent outside attacks from detecting information about your clients.
For more information, see:
All of the protection options and stealth options are disabled by default.
Integrate the
Symantec Endpoint Protection
firewall with the Windows firewall
You can specify the conditions in which
Symantec Endpoint Protection
disables the Windows firewall. When
Symantec Endpoint Protection
is uninstalled,
Symantec Endpoint Protection
restores the Windows firewall setting to the state it was in before
Symantec Endpoint Protection
was installed.
The default setting is to disable the Windows firewall once only and to disable the Windows firewall disabled message.
For more information, see:
Configure peer-to-peer authentication
You can use peer-to-peer authentication to allow a remote client computer (peer) to connect to another client computer (authenticator) within the same corporate network. The authenticator temporarily blocks inbound TCP and UDP traffic from the remote computer until the remote computer passes the Host Integrity check.
This option is disabled by default.
For more information, see:
When you enable firewall protection, the policy allows all inbound IP-based network traffic and all outbound IP-based network traffic, with the following exceptions:
  • The default firewall protection blocks inbound and outbound IPv6 traffic with all remote systems.
    IPv6 is a network layer protocol that is used on the Internet. If you install the client on the computers that run Microsoft Vista, the
    Rules
    list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6.
  • The default firewall protection restricts the inbound connections for a few protocols that are often used in attacks (for example, Windows file sharing).
    Internal network connections are allowed and external networks are blocked.