Changing the SEP firewall default settings to enable Symantec Endpoint Protection (SEP) to work with the Symantec Data Loss Prevention Network Monitor Detection Server

Applies To

DLP Network Monitor Server

All SEP 12.x supported OS versions, including Windows 2003 and Windows 2008r2

Summary

Although both SEP and DLP function as designed, to enable them to work together the SEP firewall must be set to allow DLP Network Monitor to capture packets. The SEP version 12.x default firewall policy blocks the DLP Network Monitor Detection Server from capturing IP packets when it is using a regular network interface card (NIC), such as the Intel Server or Broadcom NICs.  If the SEP IP default traffic settings  to "Allow only application traffic” are used,  all IP packets captured through regular NIC are blocked by the firewall. 

Note:  The SEP firewall set to the default does not block packet capture by high-speed packet capture adapters, such as the Napatech NT4E card. The Napatech NT4E  is not subject to any firewall policy, as it is not implemented on the OS level as a standard network interface.

Use the following SEP IP traffic setting to configure SEP to allow DLP traffic:

Unmatched IP Traffic Settings:  Configure to “Allow IP traffic.”  This setting allows all incoming and outgoing traffic (including DLP traffic), unless a firewall rule states otherwise.  For example, if you add a firewall rule that blocks VPN traffic, the firewall allows all other traffic except for the VPN traffic.

IP traffic includes the data packets that flow through IP networks and those that use the TCP, UDP, and ICMP protocols. Applications, mail exchanges, file transfers, ping programs, and Web transmissions are all types of IP traffic. 

Although you can also enable DLP Network Monitor by opting out of the firewall component during SEP installation, or by disabling the SEP firewall after installation, we do not recommend these options.