What Firewall Rules will the Symantec Endpoint Protection client receive when you change from Server Mode to Client Mode to Mixed Mode in the Symantec Endpoint Protection Manager?

book

Article ID: 178177

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Why do the Firewall rules change on a client when you change a client group from "Server Mode" to "Client Mode"?

Symptoms
A customized set of Firewall rules is applied to all the clients in an existing group. The "Mode" is preset to "Server Mode".

When you change the mode to "Client Mode", the existing Firewall rules change to the policies listed in the Cltdef.dat file that are completely different than what was preset.

Cause

In "Client Mode", the user is allowed to modify policies, create rules, and have complete control of the client. The client is using the policies similar to what is contained in the default.dat file, which is used with an unmanaged client. As an example: Logging of all actions is hard-coded into the policy set and cannot be changed. "Mixed Mode" uses a policy set from the Cltdef.dat. This set of policies contains information contained in both the Default.dat and the Cltdef.dat.

Resolution

The meaning of the different modes is as follows:
Server Mode Server is in complete control of the client and the user can only modify what the administrator specifically allows
Client Mode Client is in complete control of the client and the user can only modify whatever they wish
Mixed Mode A combination of control that can be customized to allow the client(user) the ability to only control what the administrator allows.

To maintain some control of the client and also control the options the user can change, use "Mixed Mode".
Any settings that you do NOT want a user to change should be "locked" in the specific policies you create to prevent changes.
Mixed Mode can be customized to shift a specific number of configurations from the server to the client.

Note:
In "Client Mode" every action is logged. On a managed client the sheer number of these logs from hundreds of clients will cause the Symantec Endpoint Protection Manager to overwrite its logs when left at the default log retention settings.. To stop the excessive logging switch to "Mixed Mode".