ATP Host Integrity and Quarantine Firewall policies are auto-applied when EDR 2.0 is enabled.

book

Article ID: 170694

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When integrating Advanced Threat Protection (ATP) 3.0 with your 14 RU1, or newer, Symantec Endpoint Protection (SEP) environment, it is found that after enrolling in Endpoint Detection and Response (EDR) 2.0 that an ATP Host Integrity and ATP Quarantine Firewall policy are added to the SEP Manager and applied to client groups.

Environment

ATP 3.0
SEP 14 RU1

Resolution

By default, ATP 3.0 will auto-deploy the ATP Host Integrity and ATP Quarantine Firewall policies to the SEP Manager enrolled in EDR 2.0. If there are client groups within the SEP Manager that did not already contain a Host Integrity policy and/or a Quarantine Firewall policy applied, then the ATP deployed policies will be applied to those groups. Note, however, that ATP will not overwrite the existing policies that are applied.

Although this behavior is working as designed, it has the potential unintended consequence of isolating clients even when not leveraging ATP's Client Isolate feature.

If there is a pre-existing HI policy assigned to a client group, but there is no firewall quarantine policy assigned, ATP will assign the ATP Quarantine Firewall policy to that group. In the event the HI policy fails on a client, that client will then apply the quarantine location, which will isolate that client from the network.