When an EDR "Quarantines" or "Isolates" SEP VPN connected client, "Symantec EDR Quarantine Firewall policy" may cause the EDR not to be able to rescind the quarantine
search cancel

When an EDR "Quarantines" or "Isolates" SEP VPN connected client, "Symantec EDR Quarantine Firewall policy" may cause the EDR not to be able to rescind the quarantine


Article ID: 219783


Updated On:


Advanced Threat Protection Platform Endpoint Detection and Response Endpoint Protection


A SEP client remains quarantined even after the EDR rescinds the quarantine because communications to the EDR are blocked by the "Symantec EDR Quarantine Firewall policy".


All SEPM and SEDR releases


"Symantec EDR Quarantine Firewall policy" does not have rules to permit:

  • EDR ECC communications
  • VPN communications
  • Internal Certificate Authority (CA) communications based on Location


When a client machine is "Quarantined" or "Isolated", the SEPM and EDR should be able to connect to make policy changes or to perform troubleshooting.   Thus, it may be necessary to recover the VPN connection by adding "Allow" rules for the VPN traffic so that the client can communicate to the internal network, i.e. namely the SEPM and EDR. 

The following options are listed from "best to least" to regain access to a "Quarantined" SEP client:

Option 1 -  "Open External Firewall to access EDR"

Option 2  - "Duplicate and modify the SEDR Quarantine Firewall policy - Add rules to allow VPN and SEPM communications."

Step 1 - Duplicate Rule "Symantec EDR Quarantine Firewall policy"

    • Select Policies - Side Tab
    • Right Click - the "Symantec EDR Quarantine Firewall policy"
    • Select the Export and save to a file
      • Note:  Copy and paste will not work since the policy is owned by the SEDR appliance.
    • Select the Import and then import the exported file.   Name the file to something like "Custom VPN - Symantec EDR Quarantine Firewall policy" and in the Description field add the statement:
      • "This policy is no longer managed by the EDR and will not be overwritten or removed if the EDR connection is changed or group inclusions are adjusted".
        •  Note:  Careful management of this policy needs to be done manually.

Step 2 - Add a new location "VPN Connected - Isolated"

    • Create conditions "Host Integrity - True" and "VPN connected" criteria

Step 3  - Add firewall rules to allow VPN and EDR traffic

Step 4 - Assign policy to all groups that the EDR manages

Option 3 - "Stopping SEP client / Connecting to VPN"

Warning:  If your system is potentially infected, it is recommended NOT TO USE THESE STEPS because the firewall is not running.

  • Ensure the computer has been rescinded the Quarantine/Isolation
  • Restart the computer
    • One of the first tasks for the SEP client is to check-in to the SEPM and EDR to get the current policy settings
  • Run the "smc -stop" to stop SEP client from running
    • This stops the firewall from running
  • Connect to the VPN.
  • Run the "smc -start" command.
    • Note:  Run from Task Manager to use highest privileges
      Note:   If you perform the "smc -stop" and "smc -start" from the command line, you may need to use:
      • start smc -stop
      • start smc -start
    • Note:   Once the new policy is received by the client, the HI flag should rescind that activates the default group firewall policy.


Additional Information

Additional Background:

When a SEP client is quarantined by the EDR, the EDR raises the Host Integrity (HI) flag over Endpoint Communication Channel (ECC); which activates "Symantec EDR Quarantine Firewall policy".

Other recommendations:

Review the following for possible improvements to the network configuration.

Where to place the appliance in your network for best results


Logical network diagram of a typical situation where EDR Isolate/Rejoin would need additional configuration of the Firewall rule within SEPM: