Network application does not work with Endpoint Protection firewall installed

book

Article ID: 157771

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A network application no longer works on computers where Symantec Endpoint Protection (SEP) and its firewall component is installed.

If you uninstall the SEP firewall component, the network application works normally.

Cause

The SEP firewall may block network traffic that the network application requires to function properly.

Resolution

To determine whether the SEP firewall blocks network traffic, create a rule that allows all network traffic through the firewall, then test the rule.

If the application issue is resolved by adding this rule, reconfigure the SEP firewall to allow the network traffic.

WARNING: Creating the Allow All rule is a troubleshooting step only, and is not a resolution to this issue. Leaving an Allow All rule permanently in place significantly reduces the computer's security posture.

Once you have created the Allow All rule, test the network application to confirm that the application works. If the application works, the original firewall ruleset configuration does not allow network traffic through to the application.

Next, remove the Allow All rule. You will need to create an additional firewall rule (or modify an existing rule) to allow the application's network traffic through SEP's firewall. If you do not know the ports and protocols the application uses, consult the application vendor's documentation.

Most vendors will specify which network ports and protocols their application uses to function so that you can properly configure firewalls.

Create an Allow All rule for managed clients

Caution: Before creating the Allow All rule in Symantec Endpoint Protection Manager (SEPM), move the client into a client group by itself, with a non-shared policy. This ensures that the following test does not affect other computers. To move clients, right-click the client, then choose Move.
  1. In the SEPM, click Clients, then select the client group which contains the affected client computer
  2. Click the Policies tab.
  3. In the Group is still inheriting policies, uncheck Inherit policies and settings from parent group.
    This action may take several seconds to complete
  4. Click the Firewall policy for this client group to open it for editing.
  5. If the group uses a shared policy, choose Create Non-Shared Policy From Copy.
  6. Click Rules.
  7. Click Add Rule....
  8. Name the rule: Allow All Test.
  9. Click Allow connections, and then click Next.
  10. Click Allow Applications, and then click Next.
  11. Click Any computer or site, and then click Next.
  12. Click All types of communication (all protocols and ports, local and remote), and then click Next.
  13. Click No, and then click Finish. This creates the rule at the bottom of the rules list.
  14. Click the new rule, and then click Move Up until the rule is at the very top of the rules list.
  15. Click OK.
  16. Once you have created the Allow All rule, force the client to download the changed policy from the SEPM. To do this, right-click the SEP icon in the Windows system notification area, and then click Update Policy. Alternatively, you can restart the computer to download the new policy immediately.

Create an Allow All rule for unmanaged clients

  1. In SEP, on the Status page, click Options (next to Network Threat Protection).
  2. Click Configure Firewall Rules....
  3. Click Add.
  4. Name the rule: Allow All Test.
  5. Click the radio button Allow this traffic.
  6. Click OK. This creates the rule at the bottom of the rules list.
  7. Click the rule Allow All Test, and then click the up arrow until the rule is at the top of the rules list.
  8. Click OK.

Perform rule isolation

  1. Test to confirm the status of the issue.
    • If the issue is not resolved:
      • Try disabling the firewall locally or via policy.
      • Use the steps for Unmanaged and individual clients to test removing the firewall component.
      • Determine if the desired traffic is not using an IP. The Allow All rule does not cover all Ethernet protocols, and you may need to specify an Ethernet protocol type in the rule (for example: 0x886f for Load Balancing).
    • If the issue is resolved, continue with the following steps to isolate further and refine the rule.
  2. Open the firewall rules as shown (for managed clients follow steps 1-6, for unmanaged clients follow steps 1-2).
  3. Click the Allow All Test rule to highlight it.
  4. Click the Move Down or down arrow button to move the rule below the next enabled rule that has an action of Block in the list.
  5. Save the changes, and ensure the policy updates for managed clients.
  6. Test to confirm the status of the issue again.
    • If the issue returns, move the Allow All Test rule up one line.
    • If the issue still does not reproduce, move the rule down again per step 4 and retest.
  7. Once you have identified a blocking rule, move the Allow All Test rule directly above the blocking rule.
  8. Modify the Allow All Test rule to refine the host or service ports and minimize the scope of what the rule allows.
    • Refine the rule to further restrict access to only what is necessary (for example, allow traffic where remote host = , and local port = 3389, to allow inbound RDP traffic from one host or a specified range).

If this article does not resolve the issue, see Configuring firewall settings for mixed control for information on user interface control settings in the client.

For additional information on configuring firewall rules, see Managing firewall protection.