Searching...
Filters
SmallMediumLarge
Home Print Show Topic URL Previous Next

Configuring Firewall Rules

Online Help

In Symantec Endpoint Protection Small Business Edition cloud, a Smart Firewall is a barrier protecting an endpoint computer from dangerous or unwanted communications. Communications occur between source and destination IP addresses using a transport protocol and port number to access a service. Commands are sent to the service port number of the offered service. Responses are returned to the port that is specified by the computer initiating the communication. Firewall administrators can block or allow traffic between two computers using:

  • IP addresses only

  • Port number of the needed service

  • Both IP address and service port number

While this capability is available within Endpoint Protection, manual configuration of firewall rules is risky for administrators without training and-or experience. We recommend thorough testing of any rules that you create.

The Smart Firewall configures a rule based on three characteristics:

  • Connections

  • Computers

  • Communications

These rules are then applied to a group or groups of computers which represent internal IP addresses for the firewall rule.

Connections

The first step in defining a firewall rule is to declare what should be done with a connection meeting the criteria defined by the rule. Two actions are possible:

Allow

Allows the communication of this type to take place

Block

Prevents the communication of this type to take place

The direction of the connection is the next element identified for the connection:

Inbound

Inbound connections include communications from another computer to your computer.

Outbound

Outbound connections include communications from your computer to another computer.

Inbound and Outbound

Inbound and outbound connections include the incoming and the outgoing communications to and from your computer.

Computers

Specify the computers to which the rule should apply:

Any computer

The rule applies to all computers

Any computer in the local subnet

The rule applies only to computers in the local subnet

Choose computers

The rule applies only to the computers, sites, or domains that are listed. The options include:

  • Individually - by entering a computer name or URL

  • Using Range - by entering a range of IP addresses

  • Using Network Address - by entering an IP address and its subnet mask

The computer identification options can be mixed within the defined addresses.

Communications

The final step in creating a new firewall rule is to define the communications protocols that are used for the connection. You can specify these protocols:

TCP, UDP, TCP and UDP, ICMP, ICMPv6, or All

When a protocol other than ALL is selected, communications of all types of the selected protocol are allowed. Whenever you need to be more restrictive build a Custom List.

A Custom List lets you build the list by:

Known Ports from List

The rule applies to the ports that are selected using Click to view list.

Known Ports offer well-known services. Less common or proprietary applications require that you identify the ports that are used by the application.

Individual specified ports

The rule applies to the ports that you enter. Delimit multiple ports with spaces.

Port Range

The rule applies to all of the ports between the lowest to highest port number.

Enter the Port Range from lowest to highest port number.

Finally, you must identify the ports in the list as Local or Remote.

Local

Local ports refer to a port on an Endpoint Protection protected computer. These are usually used for inbound connections.

Remote

Remote ports are on the computer with which your computer communicates. They are usually used for outbound connections.

Warning: Badly conceived or misconfigured firewall rules can expose an organization's network to penetration and-or loss of mission critical services. Safely test all new firewall rules before deploying to your organization.

To create a custom endpoint protection policy

To configure a computer group for testing policies and firewall rules

  1. Create a computer group for testing firewall rules.

  2. Move several test computers into the test group.

  3. Create a test policy and apply it to the test group.

  4. Create a new firewall rule and save & apply the policy with the new rule.

  5. Test the rule using the computers in the test group.

  6. Repeat the process and test the policy for each new rule added.

  7. Verify that your rules are entered in the correct order.

  8. Deploy the rule to your organization only after thorough testing.

To allow access to a well-known program (Post Office Protocol v3)

  1. From the Network Protection portion of a policy configuration page, click Firewall Rules.

  2. Click Add Rule to open the rule configuration page.

  3. Enter a Rule Name: Allow POP3 email.

  4. In the Connections section, set the Connection drop-down to Allow and the Connection Type to Outbound.

  5. In the Computers section, set the drop-down to Choose Computer, Individually and www.POP3_mailserver.com (URL or IP address).

  6. Click >> to add the computer to the list.

  7. In the Communications section, set the drop-down to TCP, Custom List and Known Ports from List. Skip down to the Local/Remote drop-down and set it to Remote.

  8. Click Click to View List to see the list of well-known TCP ports, check 110 for the POP 3 protocol, and then click Apply.

    Most modern POP mail servers use SSL/TLS security for communications so additional rules may be necessary to make a service accessible.

  9. Click OK to complete the rule.

  10. When you are finished creating or modifying the policy, click Save & Apply at the bottom of the policy configuration page. This action pushes out the policy and any new or any modified firewall rules to groups using the policy.

To allow access to a specific port at a specific address

  1. From the Network Protection portion of a policy configuration page, click Firewall Rules.

  2. Click Add Rule to open the rule configuration page.

  3. Enter a Rule Name: Allow service on port 54321 from OurVendor.com.

  4. In the Connections section, set the Connection drop-down to Allow and the Connection Type to Outbound.

  5. In the Computers section, set the drop-down to Choose Computer, Individually and enter www.OurVendor.com (URL or IP address).

  6. Click >> to add the computer to the list.

  7. In the Communications section, set the drop-down to TCP, Custom List and Individual Specified Ports.

  8. Change the Local/Remote drop-down to Remote.

  9. Enter the Port number: 54321, and then click >> to add the port to the communications list.

  10. Click OK to complete the rule.

  11. When you are finished creating or modifying the policy, click Save & Apply at the bottom of the policy configuration page. This action pushes out the policy and any new or any modified firewall rules to groups using the policy.

To allow a trusted, external network access to a service on an internal computer

  1. From the Network Protection portion of a policy configuration page, click Firewall Rules.

  2. Click Add Rule to open the rule configuration pop-up.

  3. Enter a Rule Name: Allow access to internal service from trusted, external network.

  4. In the Connections section, set the Connection drop-down to Allow and the Connection Type to Inbound.

  5. Under Computers, select Choose Computers, Using Network Address, and enter the trusted Network Address/Subnet Mask. Click >> to add the computer to the computers list.

  6. Under Communications, select TCP, Custom List, Port Range, Local, and enter the port 6000 to 6005. Click >> to add the port to the communications list.

  7. Click OK to complete the rule.

  8. When you are finished creating or modifying the policy, click Save & Apply at the bottom of the policy configuration page. This action pushes out the policy and any new or any modified firewall rules to groups using the policy.