Importing policies from
Symantec Endpoint Protection Manager

You can export your policies from
Symantec Endpoint Protection Manager
to the cloud console. After the import, you can apply the policies to your device groups.
You access policy import in one of the following ways:
  • Policies > Import Policy
  • My Tasks > Import policies from
    Symantec Endpoint Protection Manager
    into the cloud
You can repeat policy import as many times as you need.
Policy import is one part of an upgrade to
Symantec Endpoint Security
. The following page describes the upgrade process, including how to upgrade the client version. See:
Overview
  • Export the
    Symantec Endpoint Protection Manager
    policies that you want to import as .DAT files. Save the files to the local drive. See:
  • Select the policy files that you want to import.
  • Review your selection for errors. See:
  • Resolve conflicts between imported policies and existing cloud policies through a policy override or a new policy.
    Creating a new policy is the default option.
  • Review the selected actions.
To upgrade the client software, make sure you install the Symantec Agent installation package on the devices that you want to manage with the cloud. You can also take specific steps to convert existing
Symantec Endpoint Protection Manager
client computers to cloud-managed devices. See:
Requirements
  • Exported
    Symantec Endpoint Protection Manager
    policies must be in the .DAT file format. Other file formats are not supported.
  • Supported
    Symantec Endpoint Protection Manager
    versions include 12.1.6 and later. Version 14.2 RU1 policies provide additional information to the cloud during import.
  • You can import a maximum of 50 policies at one time.
    This file number limit prevents performance issues during import.
  • The maximum supported file size is 1MB per file.
    This file size limit prevents the import of a corrupted policy file.
The following table shows the policy types that are supported for import:
Symantec Endpoint Protection Manager
policy types supported for import
Policy type
Policy type after import
Virus and Spyware Protection
Antimalware
Firewall
Firewall
If a firewall rule contains a host group, the import creates a new host group. The new host group appears in the cloud under
Settings > Host Groups
.
Firewall network service groups are not yet supported in the cloud. If you import a Firewall policy that contains a network service group, the individual entries from the network service group appear in the imported policy.
While firewall adapters are imported, they are not linked to components in a firewall policy in the cloud. Point-to-Point Tunneling Protocol (PPTP) adapters are not imported.
Intrusion Prevention
Intrusion Prevention
If the imported policy contains any IP addresses, IP ranges, or subnets as Excluded Hosts, then those appear in a new Host Exclusions Allow List policy.
If the imported policy contains changes to the default settings for Memory Exploit Mitigation options, then a separate MEM policy is created. If the imported policy contains default settings, then no separate MEM policy is created.
Custom IPS settings are not imported. This support is planned for a future release.
Application and Device Control > Device Control
Device Control
If a device control rule contains a custom device that appears in
Symantec Endpoint Protection Manager
> Policies > Policy Components > Hardware Devices
, then the import creates a new custom device. The new custom device appears in the cloud under
Endpoint > Policies > Policy Components > External Devices
.
Application Control policies and Mac and Linux settings are not imported. This support is planned for a future release.
LiveUpdate Settings
System
NTLM Authentication is not supported for import. You should uncheck the NTLM-related checkboxes before exporting the LiveUpdate Settings policy from
Symantec Endpoint Protection Manager
.
This support is planned for a future release.
Memory Exploit Mitigation
Memory Exploit Mitigation
Exceptions
Deny List
Allow List
Mac and Linux settings, DNS or Host File Change Exceptions, Application Exceptions, and scan types of
Application Control
and
All
are not imported. This support is planned for a future release.
Troubleshooting policy import
Use the following information to troubleshoot any messages that you see before or during the import process.
Messages during file validation
Message
Reason
Next steps
File size exceeds the maximum supported limit of 1 MB.
The policy file size is too large.
Remove the file from the list of policy files to import.
Only the .DAT file format is supported.
The file extension is something other than .DAT.
Remove the file from the list of policy files to import.
You have selected more than 50 files to import.
You have selected more than the maximum limit of 50 policy files.
Remove as many files as necessary to bring the total file count down to 50 or fewer.
Messages during import
Message
Reason
Next steps
Unsupported policy type.
Since the policy type is not supported, there is no further action to take.
Invalid policy file.
The file is not a valid policy file or is corrupted.
Export the file again from
Symantec Endpoint Protection Manager
, and then import the new file.
Unknown failure reason.
  1. You exported the policy file from an older version of
    Symantec Endpoint Protection Manager
    , and it cannot be properly interpreted during import.
  2. You imported multiple policy files with the same name at the same time.
  1. If you confirm that the policy file is a supported policy type and it is from a supported
    Symantec Endpoint Protection Manager
    version, then contact Support for assistance. See:
  2. Only import one policy file of the specified name at a time.
How the cloud handles policy file conflicts
Sometimes, a
Symantec Endpoint Protection Manager
policy that you intend to import conflicts in one way or another with a policy that already exists in the cloud.
You can override the cloud policy with the imported policy by checking the following box during import:
In case of conflict, override the existing policy with the new policy
.
The
Symantec Endpoint Protection Manager
policy name appears within the policy file, and that policy name becomes the cloud policy name. The name of the policy file does not become the cloud policy name.
If you selected to override the existing policy in case of conflict and there is a name conflict with an existing cloud policy:
  • A new version of the policy is created.
  • Once the import is complete, you are prompted to apply the new version to the groups to which the previous version applies.
  • The previous version of the policy is preserved, so that you can roll the policy back to this version if needed.
If there is a name conflict with an existing cloud policy and you do not select that option:
  • A new version is created with an auto-generated suffix, such as
    [1]
    or
    [2]
    . This suffix gives the policy a unique name.
  • You can apply the new version to your groups as needed.
More information