Windows Defender Firewall still shows as on with Endpoint Protection Network Threat Protection installed
Last Updated July 09, 2019
You install Symantec Endpoint Protection (SEP) with Network Threat Protection (NTP) on a computer that runs Windows 7 or later. When you open the Windows Defender Firewall control panel, you notice that it displays the following message: "These settings are being managed by vendor application Symantec Endpoint Protection." If you click Advanced Settings, the Windows Defender Firewall may indicate that it appears on for the individual profiles "Domain", "Private", or "Public", however, the rules within the Windows Defender Firewall are not actually applied.
This behavior differs from Windows XP or Windows Server 2003, which displays the Windows Firewall as explicitly off.
Microsoft Windows 7 or later
Microsoft Windows Server 2008 or later
The behavior of Windows 7 and later with regards to third-party firewalls like SEP differs slightly from previous versions of Windows. As of Windows 7, Microsoft changed the Security Center to the Action Center. In the Action Center, a more universal interface was created for protection technologies, such as firewall and antivirus.
This is expected behavior, and both SEP and the Windows Defender Firewall are working as intended. For Windows 7 and later, installing SEP with Network Threat Protection and enabling the SEP Firewall by policy takes control of three of the four categories within the Windows Defender Firewall. The categories managed by SEP are the following:
You can confirm the categories of the Windows Firewall that the SEP is registered by running the following command: netsh advfirewall show global
Microsoft recommends that you do not disable the Windows Firewall service when using a third-party host firewall. When the Windows Firewall is enabled, DirectAccess clients can use the built-in IPsec functionality and Windows Firewall connection security rules to protect DirectAccess connections and traffic.
SEP is using the Microsoft Windows Firewall guidelines and recommendations and does not replace Windows Firewall connection security (IPsec). This specification allows third-party host firewalls in Windows 7 to selectively replace specific elements of Windows Defender Firewall functionality while retaining others. The introduction of "categories" makes it possible for third-party host firewalls to operate side-by-side with Windows Firewall.
You can also confirm that the SEP client is providing firewall protection by checking the status in the Installed Firewall list, as well as in the General Firewall status section, which indicates that the firewall rules are being managed by SEP.
To verify the firewall status:
Click Open Action Center > Security. Network Firewall displays a status of On.
Click View installed firewall programs. SEP displays a status of On. Windows Defender Firewall displays a status of Off.
If both firewalls display a status of On, the Action Center shows the following warning: "Windows Firewall and SEP both report that they are turned on". Note: Two or more firewalls running at the same time can cause conflicts with each other.
Imported Document ID: TECH123729
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe