A network application no longer works or traffic is being blocked on computers where the Symantec Endpoint Protection (SEP) or Symantec Endpoint Security (SES) Firewall component is installed.

If the firewall feature is uninstalled the network application works as expected.

• Symantec Endpoint Security 14.3.x
• Symantec Endpoint Protection 14.3.x

Misconfigured firewall rule.

To determine if the protection agent firewall feature is blocking network traffic an "Allow All" rule can be created that allows network traffic to bypass other firewall rules lower in the rule list.  This rule type is designed as a testing mechanism only and should not be left in place.  The rule is created in such a way that it matches all network traffic so none of the rules below it will be triggered.

This document contains steps for SEP and SES.  While the management platform and Firewall policy are different between the two products, the concept of testing with an Allow All rule is the same.  

WARNING: Creating the Allow All rule is a troubleshooting step only and is not a resolution to this issue. Leaving an Allow All rule permanently in place significantly reduces the computer's security posture.

NOTE: If you do not know the ports and protocols the application uses, consult the application vendor's documentation.

How to test with an Allow All rule

An Allow All rule provides a way to test firewall rules to determine whether or not the protection agent is blocking traffic.  This type of rule is configured to match all traffic and allow it which prevents subsequent rules from triggering.  This is because the SEP and SES agents process firewall rules in sequential order.  Any rule below the Allow All rule in the firewall rule list will not be matched.

When using these steps below, always start with the Allow All rule at the top of the firewall rule list, as rule number 1.  When the policy is this position, all the rules below it will effectively be bypassed.  Test for the issue with this policy in place. 

• If the issue does not occur, then it is possible to configure a firewall rule to resolve the issue because one of the rules below it was blocking the traffic.
• If the issue reoccurs, then a firewall rule is not root cause.

Assuming the issue cannot be reproduced with the Allow All rule in position number 1, then move the rule half way down the list of firewall rules and test again.

• If the issue does not occur, then it is possible to configure a firewall rule to resolve the issue because one of the rules below it was blocking the traffic.
• If the issue reoccurs, then a firewall rule above the Allow All rule is blocking the traffic.

Continue to move the Allow All rule as necessary until the offending firewall rule has been identified.  Other items that may help isolate the issue to a specific firewall rule:

• Enable logging for any rules where the action is Block.
• Consult the application vendor who's traffic is being blocked and obtain their Firewall/Port requirements document.

Symantec Endpoint Protection (On-Premise)

Create an Allow All rule for managed clients

Caution: It's recommended to use a Test group and Test firewall policy for any Allow All rule testing to ensure the policy is only applied to designated test systems. 

1. In the SEPM, click Clients, click on the Test Group (or create one if it doesn't exist).
   1. While the Test Group is selected, click the Policies tab, under Policy inheritance, uncheck "Inherit policies and settings from parent group".
2. Click Policies (on the left), choose Firewall
3. Select the firewall policy in question.  Under Tasks, click Copy the policy, acknowledge the prompt.
4. Under Tasks, choose Paste a policy.  Rename the policy to indicate it's a policy for testing.
5. Double click the test firewall policy to edit it. 
6. Under Windows Settings, select Rule.
7. Click the Add Blank Rule button (bottom center).
8. Verify there is a new rule named Rule 0 in position 1, and then make the following adjustments
   
   1. Verify Enabled is checked
   2. Change the Name to Allow All
   3. Action should be set to Allow
   4. Application, Host, Service, and Time should be set to Any
   5. Log set to None
   6. Adapter set to All Adapters
9. Click OK to save the policy
10. Right click the Test policy, choose Assign, then assign it to the Test group.

Follow the remaining steps under the Perform Rule Isolation section below.

Create an Allow All rule for unmanaged clients

1. In SEP, on the Status page, click Options (next to Network Threat Protection).
2. Click Configure Firewall Rules....
3. Click Add.
4. Name the rule: Allow All Test.
5. Click the radio button Allow this traffic.
6. Click OK. This creates the rule at the bottom of the rules list.
7. Click the rule Allow All Test, and then click the up arrow until the rule is at the top of the rules list.
8. Click OK.

Symantec Endpoint Security (Cloud Managed)

Caution: It's recommended to use a Test group and Test firewall policy for any Allow All rule testing to ensure the policy is only applied to designated test systems. 

1. In the SES Cloud portal, click Devices then Device Groups, click on the Test Group (or create one if it doesn't exist).
2. Click Policies (on the left), under Quick Filters, expand Policy Type, then select Firewall
3. Select the firewall policy in question.  Click Duplicate Policy 
   1. Rename the policy to indicate it's a policy for testing.
4. Under Firewall Rules.
5. Click the Add button then configure the Rule according to these settings:
   
   1. General section
      1. Rule Name: Allow All
      2. Enable the rule: toggled on
      3. Action: Allow, Logs: No logging
   2. For the sections named Applications, Hosts, Network Services, Network Adapters, and Schedules, they should be left at defaults to their respective "all" setting.
   3. Click Submit button
6. The new Allow All rule should be number 1 on the list.
7. Click Save.
8. Click Apply Policy, choose the Test group, click Next, then Next again after confirming any Policy Target Rule, then Submit after confirming desired changes.

Note: To move a SES firewall rule up or down the list you must select the rule, then click Cut.  Locate the rule that you want to place your Allow All rule above, select it, then click Paste.  This will move the policy to the position directly above it.

Follow the remaining steps under the Perform Rule Isolation section below.

Perform rule isolation

After completing the steps above for either version of the product to create the initial Allow All Rule, use the remaining steps here to isolate the issue further.

NOTE: After making any policy change, wait for the protection agent to download and apply the newest policy before testing.

1. Test to confirm the status of the issue.
   • If the issue is not resolved, use the steps in Component Isolation steps for Endpoint Protection and Endpoint Security to troubleshoot the issue further.
   • If the issue is resolved, continue with the following steps to isolate further and refine the rule.
2. Edit the firewall policy.
3. Click the Allow All rule to highlight it.
   • SEP (On-prem): Click the Move Down button to move the rule half way down the list.
   • SES (Cloud): Move the rule half way down the list using the Cut/Paste buttons.
4. Save the changes and ensure the policy updates for managed clients.
5. Test to confirm the status of the issue again.
   • If the issue returns, move the Allow All Test rule up one line.
   • If the issue still does not reproduce, move the rule down again retest.
6. Repeat steps 2-5 as necessary until the rule blocking the traffic has been identified.
7. Once you have identified a blocking rule, move the Allow All Test rule directly above the blocking rule.
8. Modify the Allow All Test rule to refine the host or service ports and minimize the scope of what the rule allows.
   • Refine the rule to further restrict access to only what is necessary (for example, allow traffic where remote host = , and local port = 3389, to allow inbound RDP traffic from one host or a specified range).

• For more troubleshooting and isolation testing steps, visit Component Isolation steps for Endpoint Protection and Endpoint Security.
• If this article does not resolve the issue, see Configuring firewall settings for mixed control for information on user interface control settings in the client.
• For additional information on configuring firewall rules, see Managing firewall protection