Endpoint Protection

As a test, i tried to block google.com
In the rule, under Host List under Remote I have set the DNS domain to *.google.com
I made sure the policy was picked up by the client, but it does not work

if I change the DNS domain to * then eveything is blocked so it appears to work. However, any time I put a name in there, it stops working.

I've tried the KB articles and followed them exactly but I can only get it to block when I put in the *

Any ideas?

Try adding the domain to block as *google*

No, still no dice

Blame akamai....................
I had to use custom IPS signatures and block using packets.

Also, if you have your DNS servers excluded in SEP anywhere, it won't look to them for name resolution and the firewall will fail to block.
I tried to block our DNS servers from IPS and such, and it completely messed up the firewall's ability to resolve names to address, and exluding the servers from detection means for some corrupted weird resoning, that SEP stops using them for resolution as well!

Be very careful... by design the agent will block any traffic for which it cannot resolve the name once you start putting in DNS rules (at least, it used to work that way - better verify).

Try creating a rule for just your browser (for example, iexplore.exe) with remote hostname *google.com and make sure that reverse DNS resolution is not disabled.

Blocking by domain is not effective against anybody who knows what they are doing anyway.  You are better off forcing clients to route traffic through a proxy and content engine, although even that has gaps.

In my world, blocking by domain has other reasons, not to thwart folks who have evil intent and can figure out how to use a proxy to get out.
It's to prevent accidental hits on sites that have bad files on them, block email links to suspect web sites (phishing, phony AV, etc.)
No use blocking by IP address as they move to different servers constantly, and thus change the IP address anyway.

We do use it to block some things like eBay use, but then our folks can't figure out how to flush a browser cache on most days so I don't worry about "them finding a way around it" anyway.
Power button? OK, what is that again? Where is it?
But because of the way things like facebook and others work, they have no set IP address, and they share IP addresses with menards.com, walmart.com, even Symantec.com was blocked here when I experimented with domain blocking! The AKAMAI servers used to resolve really confuse SEP, so the best block was custom intrusion prevention signatures.
I created sigs that looked for the strings inside of packets like "ebay.com" for example. WOW, is that effective and there's no boo-boos caused by DNS issues or AKAMAI any more.

@ShadowsPapa,

If possible, could you attach one of your sigs I would be able to look at and build on in my testing?

My main concern is user's who go off network. We had a pretty serious outbreak and we identified malicious domains being contacted. We were able to block them internally but I need to do something for our laptop users when they leave the network. SEP would be perfect, I just can't seem to be able to get blocking to work in my test lab.

Hello Brain,
I add one article for bloking sites via firewall policy,
Please check it is work or not. I hope it will help you too.
https://www-secure.symantec.com/connect/articles/how-block-internet-address-sep-manager-firewall-rule

Hi Fatih,

I did see this and followed it exactly but still no luck. I'm starting to think I have a different issue.

it only work when I block by DNS domain and add "*" in which case blocks the entire Internet. So that does work, it's just when I add domain names like *.google.com then it does not work.

Hello Brian,
Are Your site block rule is in first line? target and source is true right?
Thank you

Best Regards,
Fatih

See if this helps - if all can be seen in this image:

Thanks ShadowsPapa for the screen. I made a test policy identical to it but still no dice. I'll keep playing around with it. Has to be something I'm missing / doing wrong

@Fatih,

Yes, I do have it on the first line and target / source look t be right. I essentially followed your guide word for word :-)

Hello again Brian :-)
did you try your policy in test group and another computer have diffrent etnernet card. Intel or 3com etc.

Best Regards.
Fatih.

I did, I tried on 3 different machines all with the same NIC. I'll see if I can find another with a different NIC though.