Windows Defender Firewall still shows as on with Endpoint Protection Network Threat Protection installed

book

Article ID: 152187

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security

Issue/Introduction

With Symantec Endpoint Protection's (SEP) Network Threat Protection (NTP) installed on a Windows 7, or later, computer the Windows Defender Firewall control panel will display the following message: "These settings are being managed by vendor application Symantec Endpoint Protection." Advanced Settings for the Windows Defender Firewall may indicate that it appears on for the individual profiles "Domain", "Private", or "Public", however, the rules within the Windows Defender Firewall are not actually applied.

This behavior differs from Windows XP or Windows Server 2003, which displays the Windows Firewall as explicitly off.

Cause

The behavior of Windows 7, and later, with regards to third-party firewalls like SEP differs slightly from previous versions of Windows. As of Windows 7, Microsoft changed the Security Center to the Action Center. In the Action Center, a more universal interface was created for protection technologies, such as firewall and antivirus.

Environment

  • Microsoft Windows 7 or later
  • Microsoft Windows Server 2008 or later

Resolution

This is expected behavior, and both SEP and the Windows Defender Firewall are working as intended. For Windows 7 and later, installing SEP with Network Threat Protection and enabling the SEP Firewall by policy takes control of three of the four categories within the Windows Defender Firewall. The categories managed by SEP are the following:

  • BootTimeRuleCategory
  • FirewallRuleCategory
  • StealthRuleCategory

The following command can be run to confirm the categories of the Windows Firewall that SEP is registered to:

netsh advfirewall show global

The remaining fourth category, ConSecRuleRuleCategory, is managed by the Windows Defender Firewall as recommended by Microsoft in the TechNet article DirectAccess and Third-party Host Firewalls.

Microsoft recommends that you do not disable the Windows Firewall service when using a third-party host firewall. When the Windows Firewall is enabled, DirectAccess clients can use the built-in IPsec functionality and Windows Firewall connection security rules to protect DirectAccess connections and traffic.

SEP is using the Microsoft Windows Firewall guidelines and recommendations and does not replace Windows Firewall connection security (IPsec). This specification allows third-party host firewalls in Windows 7 to selectively replace specific elements of Windows Defender Firewall functionality while retaining others. The introduction of "categories" makes it possible for third-party host firewalls to operate side-by-side with Windows Firewall.

Additional confirmation that the SEP client is providing firewall protection can be done by checking the status in the Installed Firewall list, as well as in the General Firewall status section, which indicates that the firewall rules are being managed by SEP.

To verify the firewall status:

  1. Click Open Action Center > Security. Network Firewall displays a status of On.
  2. Click View installed firewall programs. SEP displays a status of On. Windows Defender Firewall displays a status of Off.

If both firewalls display a status of On, the Action Center shows the following warning: "Windows Firewall and SEP both report that they are turned on". Note: Two or more firewalls running at the same time can cause conflicts with each other.