Configuring and managing Endpoint Security firewall

book

Article ID: 184832

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Configure and manage Symantec Endpoint Security (SES) firewall.

Resolution

Together with the intrusion prevention system (IPS), the firewall is the first layer of defense against malicious attacks. The Endpoint Security firewall uses a rules-based firewall engine to analyze all incoming traffic and outgoing traffic and offers IPS browser protection to block such threats before they can be executed on the computer.

How the firewall works

Network attacks exploit weaknesses in vulnerable applications. Attackers use these weaknesses to send the packets that contain malicious programming code to ports. When vulnerable applications listen to the ports, the malicious code lets the attackers gain access to the computer.

A firewall does all of the following tasks:

  • Prevents any unauthorized users from accessing the computers and networks in your organization that connect to the Internet
  • Monitors the communication between the computers and other computers on the Internet
  • Creates a shield that allows or blocks attempts to access the information on the computer
  • Warns of connection attempts from other computers
  • Warns of connection attempts by the applications on the computer that connect to other computers

The firewall reviews the packets of data that travel across the Internet. A packet is a discrete unit of data that is part of the information flow between two computers. Packets are reassembled at their destination to appear as an unbroken data stream.

Packets include information about the data such as the following:

  • The originating computer
  • The intended recipient or recipients
  • How the packet data is processed
  • Ports that receive the packets
How do firewall rules and settings work?

The firewall uses rules to control how the client protects the client device from malicious inbound and outbound traffic. The firewall automatically checks all the inbound and the outbound packets against these rules. The firewall then allows or blocks the packets based on the information that is specified in rules. When a device tries to connect to another device, the firewall compares the type of connection with its list of firewall rules. The firewall also uses stateful inspection of all network traffic.

Firewall settings are preconfigured rules each with its own unique requirements for network communication. Each setting allows or restricts communication as appropriate.

How the firewall processes firewall rules and settings

All firewall and intrusion prevention elements are processed in the following order:

  • Intrusion Prevention settings, traffic settings, and stealth settings
  • Smart traffic filters and firewall rules

See Changing the order of firewall rules in Symantec Endpoint Security

  • Port scan checking and the IPS signatures that are downloaded through LiveUpdate
Modifying the firewall rules and settings

The cloud console includes a default Firewall policy that can be applied to each group.In most cases the settings does not need to be changed. However, if troubleshooting the client s required, the settings can be enabled or disabled to fine-tune the client device's protection.

To modify the firewall rules or settings
  1. Go to Policies > Firewall policy > Default Firewall policy.
  2. Under General Settings, make sure Firewall is turned on.
  3. Do any one of the following tasks:
    • Under Firewall Rules, turn on or turn off the default rule.
    • Under Firewall Rules, select Add to add a custom firewall rule.

See Adding a custom firewall rule in Symantec Endpoint Security

  • Under Advanced Settings, select Show Advanced and turn on or turn off the setting.
  1. To enable a setting on the client that the user can configure, under User Interaction Settings, turn on the setting.

See User Interaction Settings

  1. To find which applications are allowed or blocked, go to Dashboard > Security Controls > Firewall > Key Performance Indicators.
Viewing firewall events and reports
To view the firewall events
  1. On the Endpoint tab, go to the Alerts and Events > Security Events tab.
  2. Under Technology, select Firewall.
To view the firewall report
  1. On the Endpoint tab, go to the Reports and Templates.
  2. On the Generated Reports tab, select Firewall Report.
Enabling the Windows Defender Firewall

Symantec Endpoint Security automatically disables the Windows Defender Firewall. If Windows Defender Firewall needs to be used instead of the Endpoint Security firewall, turn Windows Defender back on in the Firewall policy.

Use Windows Defender Firewall instead of Endpoint Protection 15.x Firewall