I'm looking for information on how FW policies work in SEP Manager.
I made a copy of the default policy, added a rule to whitelist a server so we could do some vulnerability scans from that system and then enabled the new policy. We had an issue with a client not being able to talk to a server, it appears because the Windows Firewall on the server became active.
I withdrew the SEP policy and now it appears that no policy is active.
And it also appears as a result that no clients are getting AV updates, probably because the Windows FW is now also active on the SEPManager server.
From investigations, it looks as though the Windows FW is active on system reboots and then at some point the SEP client FW takes over when it loads. This is based on reviewing pfirewall.logs from the Windows firewall and matching up activity with server reboots on a couple of systems.
Questions:
1. How does the SEP client take over the Windows FW? So far, I've only been able to find out that on install, it disables the windows FW, but if you had a group policy to run the Windows FW, they would both be active.
2. Is there a method in SEP policies or somewhere else to let the windows FW run until SEP client loads and then have the SEP client always take over?
3. Does it make sense that when a new SEP policy is pushed, the SEP FW would stop and start and that might be why the Windows FW became active?
4. In unmanaged clients, I see a notice on the Windows FW that it is being managed by vendor application Symantec Endpoint Protection, but I don't see that same message on managed clients. Should it be there? (Could be timing of when they were examined and having the policy withdrawn)
5. Is it possible to have cumulative policies or can only one policy be active? ie. could you have a base policy and then individual policies with a handful of rules applied to lower level groups?
6. I applied the policy at the top level "My Company" level and then withdrew it, so I suspect that I need to just reapply the default policy back at that level but am leary to do that without more research. I noticed in the policies section that most policies have a use count of 3. I'm guessing that is a group count - My Company, Default Group, and then the one we created?
Sorry for all the questions, someone else set this up with just a base config, so I'm trying to read through the 618 pg administrators guide and understand how to manage these policies quickly so we can get some scanning done.