How to configure which events are logged on the Symantec Endpoint Protection (SEP) Firewall logs

book

Article ID: 155842

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Default / Firewall log parameters in Symantec Endpoint Protection Manager (SEPM) are either not allowing the logging of events related to the rules the customer would like to monitor; or they are logging events which the customer doesn't need to keep track of. Therefore customer would like to customize the firewall log according to his needs.

Cause

 Possible cause is that the default parameters set when Symantec Endpoint Protection Manager (SEPM) was installed don't meet that specific customer's needs.

Resolution

To perform the modifications from within a specific Clients Group:

  1. In the SEPM, go to Clients > select the group which for which you would like to perform these changes > Policies tab. If "Inherit policies and settings from parent group 'My Company' " is activated, then either deactivate it, or perform the required changes within the parent group from which the policies are being inherited.
  2. Once within the required group and policies tab, you will find the Firewall Policy displayed below. Click on the Tasks blue link and then choose whether you want to "edit shared" (applies the changes to all the groups to which the current firewall policy is applied to) or "create a non shared" policy (which creates a new policy with the new settings only for the current group and sub-groups which have policy inheritance activated).
  3. Then, on the left, click on "Rules". Use the horizontal arrow below to scroll to the right and locate the "Logging" column. Right-click on each firewall rule that you want edit and choose the option you require ("write to traffic log" or "write to packet log"). When all changes have been performed, click OK so they are saved.

To perform the modifications from within the Policies Tab:

In the SEPM, go to Policies. On the policies' list, click on Firewall and then select the Firewall Policy you want to modify. Click "Edit the policy" from within the Tasks list below and follow the instructions on point 3) above. The new settings will be effective to all the groups that that policy is applied to.

To configure this setting upon creation of a new Firewall rule:

When you add a new firewall rule to an existing Firewall Policy, the last settings that you will be prompted to configure pertain to the logging of events related to the triggering of that rule. At that stage you will be asked only to confirm if you want to log these events or not, by answering "yes" or "no", and the default logging will be done on the "Traffic log". However once the new rule is created you can then change these settings by using the same procedures described above to edit existing firewall rules.

OBS: Remember that all modifications performed in the SEPM will only be taken into account by the Symantec Endpoint Protection (SEP) clients either on the next heartbeat (automatic contact with server) or if you manually force the content update. To manually force the content update, either right click on a group of SEP clients or on one specific SEP client and choose "run command on group/client" and then "update content".


Applies To

 Any supported environment.