This document was uploaded by user and they confirmed that they have the permission to share
it. If you are author or own the copyright of this book, please report to us by using this DMCA
report form. Report DMCA
Overview
Download & View Scf Policy Migration Guide as PDF for free.
Symantec Client Firewall Policy Migration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 11.00.00.00.01
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com
Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec’s maintenance offerings include the following: ■
A range of support options that give you the flexibility to select the right amount of service for any size organization
■
A telephone and web-based support that provides rapid response and up-to-the-minute information
■
Upgrade assurance that delivers automatic software upgrade protection
■
Global support that is available 24 hours a day, 7 days a week
■
Advanced features, including Account Management Services
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/
Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: ■
Product release level
■
Hardware information
■
Available memory, disk space, and NIC information
■
Operating system
■
Version and patch level
■
Network topology
■
Router, gateway, and IP address information
■
Problem description: ■
Error messages and log files
■
Troubleshooting that was performed before contacting Symantec
■
Recent software configuration changes and network changes
Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/
Customer service Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: ■
Questions regarding product licensing or serialization
■
Product registration updates such as address or name changes
■
General product information (features, language availability, local dealers)
■
Latest information about product updates and upgrades
■
Information about upgrade assurance and maintenance contracts
■
Information about the Symantec Buying Programs
■
Advice about Symantec's technical support options
■
Nontechnical presales questions
■
Issues that are related to CD-ROMs or manuals
Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: ■
Additional Enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Consulting Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.
Educational Services
Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.
To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Installing and using the Symantec Client Firewall Migration Wizard This document includes the following topics: ■
About the Symantec Client Firewall Migration Wizard
■
About installing the Symantec Client Firewall Migration Wizard
■
Installing the Symantec Client Firewall Migration Wizard
■
Converting Symantec Client Firewall policies
■
Importing migrated policies
■
What's changed in Symantec Endpoint Protection Manager
■
New default rules for each location
■
Migrating failed policies
About the Symantec Client Firewall Migration Wizard The Symantec Client Firewall Migration Wizard converts a single Symantec Client Firewall policy into multiple policies that you can import with Symantec Endpoint Protection Manager. You convert a single Symantec Client Firewall policy after you export it from the Symantec Client Firewall Administrator. The formats that are supported for conversion are .cfp, .xml, and .cfu. The .cfp and .xml formats are full policy files. The .cfu format is an update policy file.
8
Installing and using the Symantec Client Firewall Migration Wizard About the Symantec Client Firewall Migration Wizard
The Symantec Client Firewall Migration Wizard lets you create the following policies from .cfp and .xml formats: ■
Firewall policy for the default location
■
Firewall policies for each additional location
■
Firewall policy for pRules
■
Intrusion Prevention policy
Table 1-1 lists the options available in the Migration Tool and their corresponding output files and file content. All output Symantec Endpoint Protection Manager policies generated by the Migration Tool are in zip format. Table 1-1
Output Data and Conditions
Migration Tool option
Output File Name
Output File Content
Firewall policy—Default Location
.dat
Contains all of the Rules and Zone information associated with the Default Location and the Client Settings.
Firewall policy—All Locations _.dat
One Symantec Endpoint Protection Manager firewall policy is created for each location in the input policy. Each location-specific firewall policy contains all of the Rules and Zone information associated with that Location and the Client Settings from the input policy.
Firewall policy—pRules
_prule.dat
Contains all of the pRules and the Client Settings in the input policy.
IPS policy
_ips.dat
Contains the IPS Settings and the AutoBlock Exclusions [under Zones] in the input policy.
The Symantec Client Firewall Migration Wizard lets you create the following policies from .cfu formats: ■
Firewall policy for the default location
Installing and using the Symantec Client Firewall Migration Wizard About installing the Symantec Client Firewall Migration Wizard
■
Firewall policy for pRules
The following information is migrated from a Symantec Client Firewall Administrator firewall policy to a Symantec Endpoint Protection Manager firewall policy: ■
Rules
■
pRules
■
Zones
■
Locations
■
Intrusion Prevention Settings
■
Client Settings
Firewall policies generated for locations contain rules created from the following information in the order listed: ■
Restricted Zone entries
■
Trusted Zone entries
■
Protocol Filtering
■
Client Settings
■
System rules
■
Application rules
■
Trojan rules
■
Default rule
Firewall policies generated for pRules contain rules created from the following: ■
pRules
■
Default rule
About installing the Symantec Client Firewall Migration Wizard The Symantec Client Firewall Migration Wizard is composed of two files, SCFMigrationTool.bat and SCFMigrationTool.jar. These files are available in the TOOLS directory on the installation CD and from Symantec technical support. The Symantec Client Firewall Migration Wizard also requires Java Runtime Environment (JRE) 1.5 or later and does not include this software. The wizard runs on all operating systems that are supported by the Symantec Endpoint
9
10
Installing and using the Symantec Client Firewall Migration Wizard Installing the Symantec Client Firewall Migration Wizard
Protection Manager. Symantec Endpoint Protection Manager does not run on Microsoft Vista, and Microsoft Vista is not supported. If you install the Symantec Client Firewall Migration Wizard on a computer that runs the Symantec Endpoint Protection Manager, installing JRE 1.5 or later is not necessary. Symantec Endpoint Protection Manager automatically installs JRE 1.5. If you install the Symantec Client Firewall Migration Wizard on a computer that does not run the Symantec Endpoint Protection Manager, you must install JRE 1.5 or later on that computer. You can download JRE 1.5 or later from http://www.sun.com. Additionally, if you install the Symantec Client Firewall Migration Wizard on a computer that does not run Symantec Endpoint Protection, you must set the PATH environment variable. The PATH environment variable must point to the JRE runtime folder. An example of a PATH command that you run from a command prompt follows: PATH=%PATH%;c:\Program Files\Java\j2rel1.5.0\bin
The %PATH%; entry preserves the existing path information, and the JRE directory information is appended to the existing path information. You can display the current path information with the PATH command.
Installing the Symantec Client Firewall Migration Wizard This installation method is a best practice and lets you quickly import migrated policies into the Symantec Endpoint Protection Manager. To install the Symantec Client Firewall Migration Wizard ◆
On a computer that runs the Symantec Endpoint Protection Manager, copy SCFMigrationTool.bat and SCFMigrationTool.jar to the following directory: \\Program Files\Symantec\Symantec Endpoint Protection Manager\bin
Converting Symantec Client Firewall policies The migration process involves selecting a policy file to migrate, and selecting an output directory.
Installing and using the Symantec Client Firewall Migration Wizard Converting Symantec Client Firewall policies
To convert Symantec Client Firewall policies
1
Copy the policies to migrate to a working directory.
2
Browse to and double-click SCFMigrationTool.bat.
3
In the Welcome panel, click Next.
4
In the Policy File Selection panel, click Browse and select a policy file to migrate from your working directory..
11
12
Installing and using the Symantec Client Firewall Migration Wizard Converting Symantec Client Firewall policies
5
Click Browse, select output directory, and then click Next.
6
In the Options and Migration panel, optionally uncheck policy files that you do not want to create, and then click Migrate.
7
When the migration completes, click Report to review the rules and options that were migrated.
Installing and using the Symantec Client Firewall Migration Wizard Importing migrated policies
8
In the Migration Status panel, click Finish.
9
Review the .dat files that are created in your output directory. You import these files with the Symantec Endpoint Protection Manager Console.
Importing migrated policies You can import two basic types of policies, Firewall and Intrusion Prevention. Firewall policies have output file names in the following formats: ■
Firewall policy—Default Location: .dat
■
Firewall policy—All Locations: _.dat
■
Firewall policy—pRules: _prule.dat
Intrusion Prevention policies have the output file name format _ips.dat. Note: Be sure that you import firewall policies under firewall. Attempting to import them under intrusion prevention will cause the import to fail. Be sure that you import intrusion prevention policies under intrusion prevention. Attempting to import them under firewall will cause the import to fail. To import migrated policies
1
Log on to the Symantec Endpoint Protection Manager Console.
2
Click Policies.
3
Do one of the following
4
■
Under View Policies, click Firewall.
■
Under View Policies, click Intrusion Prevention.
Do one of the following: ■
Under Tasks, click Import a Firewall Policy.
■
Under Tasks, click Import an Intrusion Prevention Policy.
5
In the Import Policy dialog box, browse to and select a migrated policy in your working directory.
6
In the right pane, click on and highlight the imported policy.
7
Under Tasks, click Edit the Policy and review the migrated policy.
13
14
Installing and using the Symantec Client Firewall Migration Wizard What's changed in Symantec Endpoint Protection Manager
What's changed in Symantec Endpoint Protection Manager This section identifies some differences between the Symantec Client Firewall Administrator and the Symantec Endpoint Protection Manager. Differences include the following: ■
Zone Rules and pRules that were locked when migrated from the Symantec Client Firewall Administrator are unlocked in Symantec Endpoint Protection Manager. They can be modified after they are imported.
■
Symantec Endpoint Protection Manager does not migrate IPS V1.x signatures.
■
All Symantec Client Firewall Administrator rules with a Monitor action are disabled when they are migrated to Symantec Endpoint Protection Manager. Action is reset to Allow and logging is enabled.
■
Custom Alert Messages are truncated to 127 characters in Symantec Endpoint Protection Manager.
New default rules for each location Symantec Endpoint Protection Manager creates some default rules for each location that you did not see in Symantec Client Firewall Administrator. These new default rules are created to duplicate the exact functional behavior of policies in Symantec Client Firewall Administrator. The new default rules for each location are based on the values that you select for following settings: ■
Rule Exception Handling property for each location
■
Custom Security Level—Access Control Alert in General Client Settings
■
Custom Security Level—Firewall Level in General Client Settings
Table 1-2 shows the new default rules for each location. Table 1-2
New default rules for each location
Rule exception handling
Access control alert
Firewall level
Default rule with action...
PROMPT
ENABLE
Any
Ask
PROMPT
DISABLE
Medium
Pass
PROMPT
DISABLE
High
Drop
Installing and using the Symantec Client Firewall Migration Wizard Migrating failed policies
Table 1-2
New default rules for each location (continued)
Rule exception handling
Access control alert
Firewall level
Default rule with action...
BLOCK
Any
Any
Drop
PERMIT
Any
Any
Pass
Migrating failed policies Five security policies have failed migration from Symantec Antivirus to Symantec Endpoint Protection 11.0. Table 1-3 shows the failed policies and the versions in which they are found. Table 1-3
Failed policies
Defect Number
Security policy
Symantec Antivirus Version
1142104
retailprules.cfu
9.x
1142133
VeryHighSecurity.xml
10 or 10.1
1142130
HighSecurity.xml
10 or 10.1
1142126
MediumSecurity.xml
10 or 10.1
1142121
LowSecurity.xml
10 or 10.1
The following procedure details a workaround that enables you to migrate these security policies. To migrate the failed policies
1
Open the Symantec Client Firewall Administrator.
2
If you are migrating from Symantec Antivirus 9.x, select the retailprules.cfu policy from the cd4 folder.
3
If you are migrating from Symantec Antivirus 10 or 10.1, select one of the following security policies from the cd4 folder: ■
VeryHighSecurity.xml
■
HighSecurity.xml
■
MediumSecurity.xml
■
LowSecurity.xml
15
16
Installing and using the Symantec Client Firewall Migration Wizard Migrating failed policies
4
Import the security policy into the Symantec Client Firewall Administrator.
5
Export the security policy from the Symantec Client Firewall Administrator using the Save As... command. The firewall administrator saves the file with a .cfp file extension.
6
Open the Symantec Client Firewall Migration Tool using the SCFMigrationTool.bat file from the command prompt. A wizard launches.
7
Browse and select the security policy file with the .cfp file extension.
8
Specify an output directory.
9
Click Next and Migrate.
10 Click Finish. The .dat files appear in your output folder and can be used in Symantec Endpoint Protection 11.0.