Adding a large number of hosts to a Host Group in the Endpoint Protection Manager

book

Article ID: 177445

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to create a Host Group that contains a large number of hosts on the Symantec Endpoint Protection Manager (SEPM).
 

Example: A web site blacklist to be used with the Network Threat Protection (NTP) component of Symantec Endpoint Protection (SEP).

Resolution

Note: Before following this procedure, it is strongly recommended to create a disaster recovery backup of your SEPM per the Disaster recovery best practices document.

To add a large number of hosts to a Host Group, follow the steps below:

  1. Log into the SEPM management console.
  2. Click Policies and expand Policy Components
  3. Create a Host Group giving it a unique name then add a couple unique host entries of the type(s) needed (i.e. DNS host, IP address, etc.), click OK to save the Host Group
  4. Switch the Firewall Policy section and create a new Firewall policy
  5. Under Windows Settings > Rules double-click on the cell for any rule under the Host column
  6. Check the box to enable the Host Group you created in step 3, then click OK to save the rule edit
  7. Click OK in the Firewall policy to save the changes
  8. Right-click on the new Firewall policy and select Export...
    • ‚ÄčSpecify a location to save the .dat and click Export
  9. Open File Explorer and navigate to the location you saved the exported Firewall policy
  10. Rename the policy from xxxxx.dat to xxxxx.zip then extract the main.xml file from within the newly renamed .zip file
    • Note: If you have a zip utility, such as 7zip installed you can just right-click on the .dat and choose extract here
  11. Open the main.xml file and locate the fwhostcontainer section that contains your added host entries. Example:
    <fwhostcontainer _d="false" _i="FB4846A4C0A8026405A213E7C8A35826" _t="1569607143916" _v="4">
      <ipaddress _d="false" _i="97027BB9C0A8026405A213E783745119" _t="1569607136663" _v="3">1.1.1.1</ipaddress>
      <dnsdomain _d="false" _i="79329FA5C0A8026405A213E746499609" _t="1569607143909" _v="3">www.abc.com</dnsdomain>
    </fwhostcontainer>
  12. Copy and paste the XML contents to an empty Notepad document
  13. Then launch and create a new Excel document
  14. Enter into column B all of the host information needed. Example:
    1.1.1.1
    www.abc.com
  15. Then copy and paste the beginning XML tag to column A, to match the entry types. Example:
    <ipaddress _d="false" _i="97027BB9C0A8026405A213E783745119" _t="1569607136663" _v="3">1.1.1.1</ipaddress>
    <dnsdomain _d="false" _i="79329FA5C0A8026405A213E746499609" _t="1569607143909" _v="3">www.abc.com</dnsdomain>
  16. Lastly, add the XML tag to column C. Example:
    </ipaddress>
    </dnsdomain>
  17. Continue to fill in columns A and C with the appropriate XML tags
  18. Select all the rows in column A, B and C and copy/paste them into a blank Notepad document
  19. Copy the 'tab' field, then use the Edit > Replace feature to replace all 'tab' fields with empty strings
  20. Once all the tabs characters are replaced select all the XML and copy/paste back into the main.xml file
  21. Save main.xml then zip up the file
  22. Rename the file, changing the file extension from a .zip to a .dat
  23. Back in the SEP Manager under the Policies > Firewall Policies view, delete the temporary Firewall policy created in step 4
  24. Under Tasks, choose Import Policy and navigate to and select the newly created .dat
  25. When prompted that the Host Group already exists choose the "Overwrite existing policy" option and click OK

The Host Group is now updated with the additional entries added and can be used where appropriate.

Important Note: There is a known limitation with regards to editing the host group entries after performing this procedure. Due to how this procedure works, the _i value gets duplicated and any subsequent edits made to entries in this Host Group within the SEP Manager will occur against the first entry in the host group list. To avoid this issue, avoid editing the Host Group entries in the SEP Manager interface, or if editing is necessary, when performing step 15 ensure that the _i values for each line is made unique.

Rules for editing the _i value: It is a 24 character hex value. See below.

  • The first and last 8 hex numbers are from a random Integer. These can be edited to be unique hexadecimal characters for each entry.
  • The middle 16 characters should all be the same when performing the above procedure.
  • In the below example I show the first, middle and last sections broken out. The unique value edits can occur on the first and last sections only.
    Example _i value 91F088220A931A5D70CF51AA1FC66C28 can be broken out to 91F08822    0A931A5D70CF51AA    1FC66C28
  • Only the blue sections in the example should be edited for uniqueness. 

Scripting methods to make the _i values unique may be employed, however Symantec support cannot provide assistance with this procedure.