Endpoint Protection

I have mutiple DNS domain sites defined in my firewall rules on SEPM. And to be straight to the point, they are not working. I have sites such as *.facebook.* defined. I have also tried *facebook* and netiher blocks the site.

I have resolved www.myspace.com and adding it as an IP works, but only if they grab that particular myspace server, and obviously, there's lots.

I should note that prior to loading MR4MP2, they worked fine. What gives?

My clients are all grabbing the firewall rules perfectly, there's no communications error. I've attached an image of the rules.

Double check the your FW rules:


1. Open Symantec Endpoint Protection Manager
2. Click on Policies button
3. Under view Policies > Select Firewall
4. Edit the existing Firewall Policy
5. Click Rules
6. Right Click Rule Number 2 and Select Add a Blank Rule
7. Right Click Under the Action and Set it to Block
8. Right Click on the Host Select Edit
9. Under Specify host names or addresses of computers that trigger the rule Select : Local /Remote
10. Under Remote Click Add Under Type Select DNS domain
11. Under DNS Domain type the name of the Website e.g. : *.facebook.com
12. Click OK and close the Host List Window
13. Click OK and close the Firewall Policy Window
14.  Assign the policy to the desired group

Note : In the Same way if you add *.com in Step 11 it will block the entire range of .com websites
Note : Make sure on all the computers you have NTP installed

Yeah, the firewall rules are exactly what you said. I know how to create and assign rules, and like I said, it was working fine before upgrading to the lastest version of SEPM.

Right now, IP entries into the firewall rule work. DNS Domains do not.

I will also add that NTP is enabled on all clients, and is set to sync with the the IP of the SEPM server.

This is really frustrating. "Upgrading" has broken WAY more than it has fixed.

If you delete the rule with all those hosts and create a test rule with just one host, does it still fail?  You have an awful lot of hosts listed - not sure how many the firewall can handle.

you might also think about what you're trying to accomplish.  Based on the list I see here, it looks like you're pretty much trying to block internet access.  If so, there is no way you can list all the sites you don't want your people to visit.  Would you do better to allow specific sites, and then block all others?

Have you thought about a proxy?

also - why are you listing specific browsers rather than blocking all apps?  Is okay for someone to use Chrome?  Or any one of the less-known browsers?  Or to FTP?  Sorry - this doesn't directly address your problem - but I think you might solve your problem, have more effective results, and have less maintenance if you considered an alternate approach.

I have found the problem.

There was a GPO set improperly. The specific GPO was in the the Default Domain Policy, and was located in:

Offending Policy (in this case - Default Domain Policy)/User Configuration/Windows Settings/Internet Explorer Maintenance/Security/Security Zones and Privacy

The invalid setting was set to "Import the current security zones and privacy settings"

It caused IE security to be improperly set, which in turn I guess hurt the ability to filter by the firewall. Changing this setting to "Do not customize security zones and privacy" and doing a GPUpdate across the domain then forcing firewall rules out again resolved the issue.