You install Symantec Endpoint Protection (SEP) with Network Threat Protection (NTP) on a computer that runs Windows 7 or later. When you open the Windows Firewall control panel, notice that it displays the following message: "These settings are being managed by vendor application Symantec Endpoint Protection." If you click Advanced Settings, the Windows firewall may indicate that it appears to be on for the individual profiles "Domain", "Private", or "Public", however, the rules within the Windows firewall are not actually applied.
This behavior differs from Windows XP or Windows Server 2003, which displays the Windows Firewall as explicitly off.
The behavior of Windows 7 and later with regards to third-party firewalls like the Symantec Endpoint Protection firewall differs slightly to previous versions of Windows. As of Windows 7, Microsoft changed the Security Center to the Action Center. In the Action Center, a more universal interface was created for protection technologies, such as firewall and antivirus.
This is expected behavior, and both Symantec Endpoint Protection and the Windows Firewall are working as intended. For Windows 7 and later, installing Symantec Endpoint Protection with Network Threat Protection and enabling the Symantec Endpoint Protection Firewall by policy takes control of the Windows Firewall for 3 of the 4 categories within the Windows Firewall. The categories managed by Symantec Endpoint Protection are the following:
You can confirm the categories of the Windows Firewall that the Symantec Endpoint Protection is registered by the following command line: netsh advfirewall show global
The remaining fourth category "ConSecRuleRuleCategory" is managed by the “Windows Firewall” as recommended by Microsoft in TechNet article: DirectAccess and Third-party Host Firewalls.
Microsoft recommends that you do not disable the Windows Firewall service when using a third-party host firewall. When the Windows Firewall is enabled, DirectAccess clients can use the built-in IPsec functionality and Windows Firewall connection security rules to protect DirectAccess connections and traffic.
Symantec Endpoint Protection is using the Microsoft Windows Firewall guidelines and recommendations and does not replace Windows Firewall connection security (IPsec). This specification allows third-party host firewalls in Windows 7 to selectively replace specific elements of Windows Firewall functionality while retaining others. The introduction of “categories” makes it possible for third-party host firewalls to operate side-by-side with Windows Firewall.
You can also confirm that the Symantec Endpoint Protection client is providing firewall protection by checking the status in the Installed Firewall list, as well as in the General Firewall status section, which indicates that the firewall rules are being managed by Symantec Endpoint Protection.
To verify the true Windows Firewall status:
- Click Open Action Center > Security. Network Firewall displays a status of On.
- Click View installed firewall programs. Symantec Endpoint Protection displays a status of On. Windows Firewall displays a status of Off.
If both firewalls display a status of On, the Action Center shows the following warning: "Windows Firewall and Symantec Endpoint Protection both report that they are turned on".
Note: Two or more firewalls running at the same time can cause conflicts with each other.
Technical note: Only Symantec Endpoint Protection 12.1.x is supported on versions of Windows later than Windows 7.