Block Web sites with Endpoint Protection
search cancel

Block Web sites with Endpoint Protection

book

Article ID: 177529

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to block specific Web sites using the Symantec Endpoint Protection (SEP) client Network Threat Protection (NTP) component.


 

Resolution

The SEP client firewall cannot function as a proxy, however, it can be used to block traffic to/from specific DNS names if properly configured.

It is highly recommended to use another method such as proxy server and/or DNS security service to provide Web filtering. Using the SEP client firewall to block Web sites has the following limitations:

  • This method requires blocking a DNS name, and will not function with specific URLs
  • Web sites accessed through an HTTP/S proxy will not be blocked by this method
  • Traffic sent directly to an IP address without generating a DNS lookup will not be blocked
  • Reverse DNS lookup must be enabled in the SEP client firewall
    • SEP client firewall Reverse DNS lookups do not work with encrypted DNS services
  • Depending on configurations, Web traffic sent through a VPN tunnel may not be blocked 


To create a DNS name based firewall rule:

  1. Open the Symantec Endpoint Protection (SEPM) Console
  2. Click Policies > Firewall
  3. Edit the existing Firewall Policy
  4. Click Rules
  5. Right Click Rule Number 2 and Select Add a Blank Rule
  6. Right Click Under the Action and Set it to Block
  7. Right Click on the Host Select Edit
  8. Under Specify host names or addresses of computers that trigger the rule Select : Source/Destination
  9. Under Remote Click Add Under Type Select DNS domain
  10. Under DNS Domain type the name of the Website e.g. : *.example.com or https://www.example.com url like if they don't wish to block complete website.
  11. Click OK and close the Host List Window
  12. Click OK and close the Firewall Policy Window
  13. Assign the policy to the desired group

Additional Information

The SEP Firewall engine is an NDIS driver, which means it only sees IP addresses, not domain names. However, SEP Firewall has two key enhancements to associate IP addresses with domain names:

         Enhancement 1: DNS Traffic Monitoring
                 SEP FW monitors DNS traffic in real-time. For example, if OS send a DNS query to www.domain.com and receives the IP 1.2.3.4, SEP records this association. It then knows that traffic to 1.2.3.4 corresponds to www.domain.com and can block it accordingly.

                  Once the TTL expires, the OS will send a DNS query again, and SEP will update its records accordingly.

         Enhancement 2: Reverse DNS (RDNS) Support
                 If this option is enabled, when SEP FW receives a packet from an unknown IP (e.g., 1.2.3.4), it will hold the packet and send a reverse DNS query to the DNS server. It will then allow or block the traffic depending on the domain name returned in the response.

                 Once the TTL expires, SEP will remove the cached entry from its records. Then, when SEP receives a packet from an unknown domain, it will send a new rDNS query.

  You can configure a firewall rule to block or allow traffic based on the process name, along with other conditions.

Powered by Wolken Software