ATP Host Integrity and Quarantine Firewall policies are auto-applied when EDR 2.0 is enabled.

book

Article ID: 170905

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When integrating Advanced Threat Protection (ATP) 3.0 with your 14 RU1, or newer, Symantec Endpoint Protection (SEP) environment, it is found that after enrolling in Endpoint Detection and Response (EDR) 2.0 that an ATP Host Integrity (HI) and ATP Quarantine Firewall (QFW) policy are added to the SEP Manager and applied to client groups.

Environment

ATP 3.0
SEP 14 RU1

Resolution

By default, ATP 3.0 will auto-deploy the ATP Host Integrity and ATP Quarantine Firewall policies to the SEP Manager enrolled in EDR 2.0. If there are client groups within the SEP Manager that did not already have an HI policy and/or a QFW policy applied, then the ATP deployed policies will be applied to those client groups. Note, however, that ATP will not overwrite existing assignments if other HI or QFW policies are already applied to a client group.

Although this behavior is working as designed, it has the potential unintended consequence of isolating clients even when not leveraging ATP's Client Isolate feature.

If there is a pre-existing HI policy assigned to a client group, but there is no firewall quarantine policy assigned, ATP will assign the ATP Quarantine Firewall policy to that group. In the event the HI policy fails on a client, that client will then apply the quarantine location, which will isolate that client from the network.

 

Behavior changes with ATP 3.0.5

In ATP 3.0.5, Symantec changed the behavior of ATP 3.0.5 so that ATP does not auto-assign policies to client groups. By default, ATP creates the policies, so that those policies are available for SEP administrators to assign to client groups.

To test deploying HI and QFW policies from ATP to various client groups or locations, Symantec suggests creating a separate SEP domain within SEP Manager, and creating a structure of Client Groups and inheritance similar to the one in your production SEP domain. Moving one or more test SEP clients into the new domain can be achieved through exporting the policy from the new SEPM test group domain and importing it into a test SEP client.

 

Behavior changes with ATP 3.1.0

In ATP 3.1.0, symantec added a checkbox "Apply Host Integrity and Quarantine Firewall policies" to make this behavior selectable during the configuration wizard for enabling SEP Policies from within ATP Platform. This checkbox is not selected by default.