Advanced Settings

Built-in Rules
These settings detect and block the traffic that communicates through drivers, NetBIOS, and token rings. You can also configure settings to detect the traffic that uses a more invisible attack.
Allowed traffic protocols and other settings
Option
Description
Enable NetBIOS protection
Blocks the NetBIOS traffic from an external gateway.
You can use Network Neighborhood file and printer sharing on a LAN and protect a device from NetBIOS exploits from any external network. This option blocks the NetBIOS packets (UDP 88, UDP 137, UDP 138, TCP 135, TCP 139, TCP 445, and TCP 1026) that originate from IPv4 and IPv6 addresses that are not part of the defined ICANN internal ranges.
NetBIOS protection can cause a problem with Microsoft Outlook if the agent device connects to a Microsoft Exchange Server that is on a different subnet. You might want to add the IP address of the server to the list of devices that intrusion prevention excludes.
Endpoint Security
processes the excluded devices list before it processes the built-in rules.
This option is disabled by default.
Enable reverse DNS lookup
Lets the firewall perform a reverse DNS lookup on IP addresses and compare the domain name with the domain name defined in a firewall rule. Applies only to rules that use domain names in their host definitions.
This option should be enabled if you use any DNS firewall rules. If this option is disabled, the firewall cannot apply a DNS rule to traffic that uses the IP address of the domain. Typically, it is more secure to specify IP addresses rather than domain names in firewall rules.
When this option is enabled, the agent device might experience an impact to performance if response from the DNS servers is slow.
This option is disabled by default.
Protection Settings
Protection settings
Option
Description
Enable port scan detection
Monitors all incoming packets that any firewall rule blocks. If a rule blocks several different packets on different ports in a short period of time,
Endpoint Security
creates an alert.
Port scan detection does not block any packets.
Enable denial of service detection
Denial of service detection is a type of intrusion detection. When it is enabled, the agent blocks traffic if it detects a pattern from known signatures, regardless of the port number or type of Internet protocol.
Enable anti-MAC spoofing
Allows the inbound and outbound traffic only if a request was made to that specific host for the following protocols:
  • Address Resolution Protocol (ARP)
  • Neighbor Discovery Protocol (NDP)
It blocks all other unexpected traffic of these type and logs it as an alert.
Media Access Control (MAC) addresses are the hardware addresses that identify the devices, the servers, and the routers. Some hackers use MAC spoofing to try to hijack a communication session between two devices. When device A wants to communicate with device B, device A may send a packet to device B.
Anti-MAC spoofing protects a device from letting another device reset a MAC address table. For example, if a device sends an ARP REQUEST message, the agent allows the corresponding ARP RESPOND message within a period of 10 seconds. The agent rejects all unsolicited ARP RESPOND messages.
Automatically block an attacker's IP address
Automatically blocks the IP address of a known intruder for a configurable number of seconds.
Stealth Settings
When you enable stealth settings, compatibility issues may occur. Some settings can make web sites render incorrectly. Other settings can cause all traffic to be blocked when an incompatible NIC card is installed.
Stealth settings
Option
Description
Enable stealth mode Web browsing
Detects the HTTP traffic from a web browser on any port. It removes the browser name and version number, the operating system, and the reference web page. It stops websites from detecting which operating system and browser the device uses. It does not detect HTTPS (SSL) traffic.
Stealth mode web browsing may cause some websites to not function properly. Some web servers build a web page that is based on information about the web browser. Because this option removes the browser information, some web pages may not appear properly or at all. Stealth mode web browsing removes the browser signature, called the HTTP_USER_AGENT, from the HTTP request header and replaces it with a generic signature.
This option is disabled by default.
Enable TCP resequencing
Prevents an intruder from forging or spoofing an individual’s IP address.
IP spoofing is a process that hackers use to hijack a communication session between two devices, such as device A and B. A hacker can send a data packet that causes device A to drop the communication. Then the hacker can pretend to be device A and communicate with and attack device B. To protect the device, TCP resequencing randomizes TCP sequence numbers.
OS fingerprint masquerading works best when TCP resequencing is enabled.
TCP resequencing changes the TCP sequencing number when the agent service runs. The sequencing number is different when the service runs and when the service does not run. Therefore, network connections are terminated when you stop or start the firewall service. TCP/IP packets use a sequence of session numbers to communicate with other devices. When the agent does not run, the agent device uses the Windows number scheme. When the agent runs and TCP resequencing is enabled, the agent uses a different number scheme. If the agent service suddenly stops, the number scheme reverts back to the Window number scheme and Windows then drops the traffic packets. Furthermore, TCP resequencing may have a compatibility issue with certain NICs that causes the agent to block all inbound traffic and outbound traffic.
This option is disabled by default.
Enable OS fingerprint masquerading
Prevents a program from detecting the operating system of a agent device. The agent changes the TTL and identification value of TCP/IP packets to prevent a program from identifying an operating system.
OS fingerprint masquerading works best when TCP resequencing is enabled.
TCP resequencing may have a compatibility issue with certain NICs that causes the agent to block all inbound traffic and outbound traffic.
This option is disabled by default.
Windows Integration
For Windows 7 and later,
Endpoint Security
takes control of the Windows Firewall instead of disabling it. The Windows Firewall control panel displays the message
These settings are being managed by vendor application
Symantec Endpoint Protection
. However, the options available in this policy still function as expected.
Options for disabling the Windows Firewall
Option
Description
Disable Windows Firewall
Configures the action that
Symantec Endpoint Security
takes when it detects Windows Firewall on the device. Windows Firewall is restored to the state it was in before
Endpoint Security
installation if you:
  • Uninstall
    Endpoint Security
    .
  • Disable the
    Endpoint Security
    firewall.
Endpoint Security
retains the Windows Firewall setting when you do a fresh installation.
The following options are available:
  • No Action
    Keeps the Windows Firewall enabled.
  • Disable Once Only
    Disables Windows Firewall at startup the first time
    Endpoint Security
    detects that the Windows Firewall is enabled. On subsequent startups,
    Endpoint Security
    does not disable the Windows Firewall.
  • Disable Always
    Disables the Windows Firewall at startup, even if the Windows Firewall is enabled.
    For this option,
  • Restore If Disabled
    Enables the Windows Firewall at startup, even if the Windows Firewall was previously disabled.
Windows Firewall Disabled Message
Configures the Windows Firewall status message that displays on agent devices when they boot up.
  • Enable
    Displays a startup message on agent devices indicating that Windows Firewall is disabled.
  • Disable
    Suppresses the display of a message at startup indicating that Windows Firewall is disabled.
Security Settings
Options for blocking certain types of traffic
Option
Description
Block all traffic until the firewall starts and after firewall stops
Blocks the device from receiving traffic between the time that the agent service starts and the firewall starts. The agent also blocks traffic between the time that the firewall shuts down and the agent service shuts down.
Allow initial DHCP and NetBIOS traffic
Allows the initial traffic that enables network connectivity. This traffic includes the initial DHCP and NetBIOS traffic that allows the agent to obtain an IP address.
If you disable
Allow initial DHCP and NetBIOS traffic
, the initial traffic that enables network connectivity is blocked.