There are two ways to accomplish the requirement:
- Using a Firewall policy to block wireless traffic.
- Using an Application and Device control policy to disable the wireless traffic.
Using location awareness, set up locations as "Ethernet" and "Wireless", this is required for implementing both methods. See below for instructions for setting up the locations and followed by instructions for blocking the wireless traffic while an Ethernet interface is connected using Symantec Endpoint Protection 14.x.
Setting up automatic location switching:
-
- Select Clients> Policies in the Symantec Endpoint Protection Manager console.
- To add the “Ethernet” location, Under "Tasks", select Add Locations.
- In "Specify Location Name" type: Ethernet
- Click Next.
- Under "Specify the Condition", select Network Connection Type.
- Under "Connection Type" select Ethernet.
- Click Next> Finish.
- To add the “Wireless” location, Under "Tasks", select Add Locations.
- In "Specify Location Name" type: Wireless
- Click Next.
- Under "Specify the Condition", select Network Connection Type.
- Under "Connection Type" select Wireless.
- Click Next> Finish.
- Select Manage Locations
- Select to highlight Wireless.
- Under "Switch to this location when:" select Client computer uses Wireless
- Click Add
- Select Add Criteria with AND Relationship.
- Under "Specify Location Criteria", select Network Connection Type
- Select If the client computer does not use the network connection type specified below.
- Select Ethernet.
- Click OK> OK.
Note: By using the second requirement in the "Wireless location", the agent will switch away from this location as soon as an ethernet cable is attached.
Using a Firewall policy to block wireless traffic:
-
- Select Clients> Policies in the Symantec Endpoint Protection Manager console.
- Under "View Policies", select Firewall.
- Double click the Firewall Policy for the "Ethernet" location.
- Select Rules on the left
- Click the "Add a new Blank Rule." button on the lower right side of the window.
- Select the Blank Rule made in the previous step and move it to the top of the rule list.
- Double click Action and select Block.
- Double click Adapter and select Wireless.
- Leave "Application", "Host", "Service" and "Time" as Any.
- Click OK. The action is now completed.
Note: When using this method some initial packets (like DHCP) can still be sent over the Wireless interface while the agent is in the Ethernet location.
Using an Application and Device control policy to disable the wireless traffic
Device control specifies what hardware devices are allowed or blocked on client computers. In this case, it requires finding the hardware device ID string for the specific wireless adapters that you like to block. The ID for a hardware device can be found using the "DevViewer" tool.
The below-mentioned article explains where to find the DevViewer tool, which helps you find hardware device IDs for device blocking in Symantec Endpoint Protection (SEP)
The "Device ID" string will have a format similar to the following:
PCI\VEN_8086&DEV_4220&SUBSYS_27128086&REV_03\1&F31B64E&0&21BC
Note: Wildcards can be used for the Device ID, and it is recommended to shorten the string enough to match all hardware of the same model.
For example: PCI\VEN_8086&DEV_4220&SUBSYS_27128086* OR PCI\VEN_8086&DEV
Once the "Device ID" string has been found using the DevViewer tool
- Open the Symantec Endpoint Protection Manager console and navigate to the "Policies" tab
- Expand the Policy Components list and select Hardware Devices.
- Select Add Hardware Device and enter the <name> paste in the <Device ID> string for the wireless adapter (Do not enter as "Class ID")
- Go to Clients> Policies in the console.
- Create a new (or edit the existing) "Application and Device Control Policy" for the Ethernet location.
- Select Device Control and add the newly created Hardware Device to the "Blocked Devices" list.
Note: Hardware devices can be identified and blocked by either "Class ID/GUID" or "Device ID." The "Class/GUID" option cannot be used in this case as it would typically be the same for all network adapters.
Always do testing before implementing it into the production environment.