Configuring which events are written to the firewall logs
search cancel

Configuring which events are written to the firewall logs

book

Article ID: 155842

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The default firewall rules in Symantec Endpoint Protection Manager (SEPM) are not allowing some traffic or are not logging the events related to the rules.  The customer would like to monitor and log the events or rules to explain why a block is happening.  

Cause

 Possible cause is that the default rule set of the Symantec Endpoint Protection Manager (SEPM) when installed don't meet the specific customer's needs.

Resolution

To perform the modifications from within a specific Clients Group:

  1. In the SEPM, go to Clients > select the group which for which you would like to perform these changes > Policies tab. If "Inherit policies and settings from parent group 'My Company' " is activated, then either deactivate it, or perform the required changes within the parent group from which the policies are being inherited.
  2. Next click the policies tab in the client group, you will find the Firewall Policy displayed below. Select the Firewall policy and then choose whether you want to "edit shared" (applies the changes to all the groups to which the current firewall policy is applied to) or "create a non shared" policy (which creates a new policy with the new settings only for the current group and sub-groups which have policy inheritance activated).
  3. Then, on the left, click on "Rules". Use the horizontal arrow below to scroll to the right and locate the "Log" column. Right-click on each firewall rule that you want edit and choose the option you require ("write to traffic log" or "write to packet log"). When all changes have been performed, click OK so they are saved.

To perform the modifications from within the Policies Tab:

In the SEPM, go to Policies. On the policies' list, click on Firewall and then select the Firewall Policy you want to modify. Click "Edit the policy" from within the Tasks list below and follow the instructions on point 3) above. The new settings will be effective to all the groups that that policy is applied to.

To activate write to log from Edit Policy level:

To configure this setting upon creation of a new Firewall rule:

When you add a new firewall rule to an existing Firewall Policy, the last settings that you will be prompted to configure pertain to the logging of events related to the triggering of that rule. At that stage you will be asked only to confirm if you want to log these events or not, by answering "yes" or "no", and the default logging will be done on the "Traffic log". However once the new rule is created you can then change these settings by using the same procedures described above to edit existing firewall rules.

Remember that all modifications performed in the SEPM will only be applied to the Endpoint Protection (SEP) clients either on the next heartbeat (automatic contact with server) or if you manually force the content update. 

Powered by Wolken Software