Customizing firewall rules

When you create a new Firewall policy, the policy includes several default rules. You can modify one or multiple rule components as needed.
Components of a firewall rule
Actions
The action parameters specify what actions the firewall takes when it successfully matches a rule. If the rule matches and is selected in response to a received packet, the firewall performs all actions. The firewall either allows or blocks the packet and logs or does not log the packet. If the firewall allows traffic, it lets the traffic that the rule specifies access the network. If the firewall blocks traffic, it blocks the traffic that the rule specifies so that it does not access the network.
The actions are as follows:
  • Allow
    The firewall allows the network connection.
  • Block
    The firewall blocks the network connection.
The Mac client firewall monitors packets but does not log them.
This note applies only as of 14.2.
Triggers
When the firewall evaluates the rule, all the triggers must be true for a positive match to occur. If any one trigger is not true in relation to the current packet, the firewall cannot apply the rule. You can combine the trigger definitions to form more complex rules, such as to identify a particular protocol in relation to a specific destination address.
The triggers are as follows:
  • Application
    When the application is the only trigger you define in an allow-traffic rule, the firewall allows the application to perform any network operation. The application is the significant value, not the network operations that the application performs. You can define additional triggers to describe the particular network protocols and hosts with which communication is allowed. See:
  • Host
    When you define host triggers, you specify the host on both sides of the described network connection.
    Traditionally, the way to express the relationship between hosts is referred to as being either the source or destination of a network connection. See:
  • Network services
    A network services trigger identifies one or more network protocols that are significant in relation to the described traffic.
    The local host computer always owns the local port, and the remote computer always owns the remote port. This expression of the port relationship is independent of the direction of traffic. See:
  • Network adapter
    If you define a network adapter trigger, the rule is relevant only to the traffic that is transmitted or received by using the specified type of adapter. You can specify either any adapter or the one that is currently associated with the client computer. See:
Conditions
Rule conditions consist of the rule schedule and screen saver state.
The conditional parameters do not describe an aspect of a network connection. Instead, the conditional parameters determine the active state of a rule. You may define a schedule or identify a screen saver state that dictates when a rule is considered to be active or inactive. The conditional parameters are optional and if not defined, not significant. The firewall does not evaluate inactive rules.
Notifications
The Log settings let you specify whether the server creates a log entry or sends an email message when a traffic event matches the criteria that are set for this rule.
The Severity setting lets you specify the severity level of the rule violation.
  1. To customize firewall rules
  2. In the console, open a Firewall policy.
  3. On the
    Firewall Policy
    page, under
    Windows Settings
    or
    Mac Settings
    , click
    Rules
    .
    For versions earlier than 14.2, there is no option for
    Mac Settings
    .
  4. On the
    Rules
    tab, in the
    Rules
    list, in the
    Enabled
    field, ensure that the box is checked to enable the rule; uncheck the box to disable the rule.
    Symantec Endpoint Protection
    only processes the rules that you enable. All rules are enabled by default.
  5. Double-click the
    Name
    field and type a unique name for the firewall rule.
  6. Right-click the
    Action
    field and select the action that you want
    Symantec Endpoint Protection
    to take if the rule is triggered.
  7. In the
    Application
    field, define an application. See:
  8. In the
    Host
    field, specify a host trigger. See:
  9. In addition to specifying a host trigger, you can also specify the traffic that is allowed to access your local subnet. See:
  10. In the
    Service
    field, specify a network service trigger. See:
  11. In the
    Log
    field, specify when you want
    Symantec Endpoint Protection
    to send an email message to you when this firewall rule is violated. See:
  12. Right-click the
    Severity
    field and select the severity level for the rule violation.
  13. In the
    Adapter
    column, specify an adapter trigger for the rule. See:
  14. In the
    Time
    column, specify the time periods in which this rule is active.
  15. Right-click the
    Screen Saver
    field and specify the state that the client computer's screen saver must be in for the rule to be active.
    The
    Created At
    field is not editable. If the policy is shared, the term Shared appears. If the policy is not shared, the field shows the name of the group to which that the non-shared policy is assigned.
  16. Right-click the
    Description
    field, click
    Edit
    , type an optional description for the rule, and then click
    OK
    .
  17. If you are done with the configuration of the rule, click
    OK
    .