About the setting "Block all traffic until the firewall starts"


Article ID: 157370


Updated On:


Endpoint Protection


What is the firewall setting: Block all traffic until the firewall starts and after the firewall stops?


One of the traffic settings for the Firewall component of Symantec Endpoint Protection (SEP)  is "Block all traffic until the firewall starts and after the firewall stops." There is also a sub-option "Allow initial DHCP and Net BIOS traffic."

What are these options and when should they be used?


The core "Block all traffic until the firewall starts and after the firewall stops" prevents all network communication when the Network Threat Protection (NTP) firewall driver is disabled. This setting is used to block a small but exploitable opportunity for a remote process to attach to Windows while it is booting or shutting down during which the firewall driver is not active and no firewall protection is in place. Please note: the core setting blocks ALL network traffic in or out until the driver starts.

The sub-option  "Allow initial DHCP and Net BIOS traffic" creates a single exception to the network traffic block to allow a client the ability to acquire basic network connectivity. All other traffic remains blocked until the firewall driver starts.


This setting should be used in conjunction with a location awareness policy and only used in scenarios in which the client may be connecting to a public network or an environment beyond the control of the enterprise network administrators. It is not recommended for use inside a corporate network. Most enterprise domains require additional authentication or connection requirements at boot and log-in sequences using NTLM and kereberos. Additional security policy items may require connection to a domain controller to even allow a machine to be logged unto or unlocked. Use of this setting in such an environment can cause significant delays in the ability to log into a machine, and in some scenarios may make log-in impossible.