Scf Policy Migration Guide

  • December 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Scf Policy Migration Guide as PDF for free.

More details

  • Words: 2,719
  • Pages: 16
Symantec Client Firewall Policy Migration Guide

Symantec Client Firewall Policy Migration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 11.00.00.00.01

Legal Notice Copyright © 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Sygate, Symantec AntiVirus, Bloodhound, Confidence Online, Digital Immune System, and Norton are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, “Rights in Commercial Computer Software or Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com

Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec’s maintenance offerings include the following: ■

A range of support options that give you the flexibility to select the right amount of service for any size organization



A telephone and web-based support that provides rapid response and up-to-the-minute information



Upgrade assurance that delivers automatic software upgrade protection



Global support that is available 24 hours a day, 7 days a week



Advanced features, including Account Management Services

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/

Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: ■

Product release level



Hardware information



Available memory, disk space, and NIC information



Operating system



Version and patch level



Network topology



Router, gateway, and IP address information



Problem description: ■

Error messages and log files



Troubleshooting that was performed before contacting Symantec



Recent software configuration changes and network changes

Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/

Customer service Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: ■

Questions regarding product licensing or serialization



Product registration updates such as address or name changes



General product information (features, language availability, local dealers)



Latest information about product updates and upgrades



Information about upgrade assurance and maintenance contracts



Information about the Symantec Buying Programs



Advice about Symantec's technical support options



Nontechnical presales questions



Issues that are related to CD-ROMs or manuals

Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: ■

Asia-Pacific and Japan: [email protected]



Europe, Middle-East, and Africa: [email protected]



North America and Latin America: [email protected]

Additional Enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Consulting Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.

Educational Services

Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.

To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Installing and using the Symantec Client Firewall Migration Wizard This document includes the following topics: ■

About the Symantec Client Firewall Migration Wizard



About installing the Symantec Client Firewall Migration Wizard



Installing the Symantec Client Firewall Migration Wizard



Converting Symantec Client Firewall policies



Importing migrated policies



What's changed in Symantec Endpoint Protection Manager



New default rules for each location



Migrating failed policies

About the Symantec Client Firewall Migration Wizard The Symantec Client Firewall Migration Wizard converts a single Symantec Client Firewall policy into multiple policies that you can import with Symantec Endpoint Protection Manager. You convert a single Symantec Client Firewall policy after you export it from the Symantec Client Firewall Administrator. The formats that are supported for conversion are .cfp, .xml, and .cfu. The .cfp and .xml formats are full policy files. The .cfu format is an update policy file.

8

Installing and using the Symantec Client Firewall Migration Wizard About the Symantec Client Firewall Migration Wizard

The Symantec Client Firewall Migration Wizard lets you create the following policies from .cfp and .xml formats: ■

Firewall policy for the default location



Firewall policies for each additional location



Firewall policy for pRules



Intrusion Prevention policy

Table 1-1 lists the options available in the Migration Tool and their corresponding output files and file content. All output Symantec Endpoint Protection Manager policies generated by the Migration Tool are in zip format. Table 1-1

Output Data and Conditions

Migration Tool option

Output File Name

Output File Content

Firewall policy—Default Location

.dat

Contains all of the Rules and Zone information associated with the Default Location and the Client Settings.

Firewall policy—All Locations _.dat

One Symantec Endpoint Protection Manager firewall policy is created for each location in the input policy. Each location-specific firewall policy contains all of the Rules and Zone information associated with that Location and the Client Settings from the input policy.

Firewall policy—pRules

_prule.dat

Contains all of the pRules and the Client Settings in the input policy.

IPS policy

_ips.dat

Contains the IPS Settings and the AutoBlock Exclusions [under Zones] in the input policy.

The Symantec Client Firewall Migration Wizard lets you create the following policies from .cfu formats: ■

Firewall policy for the default location

Installing and using the Symantec Client Firewall Migration Wizard About installing the Symantec Client Firewall Migration Wizard



Firewall policy for pRules

The following information is migrated from a Symantec Client Firewall Administrator firewall policy to a Symantec Endpoint Protection Manager firewall policy: ■

Rules



pRules



Zones



Locations



Intrusion Prevention Settings



Client Settings

Firewall policies generated for locations contain rules created from the following information in the order listed: ■

Restricted Zone entries



Trusted Zone entries



Protocol Filtering



Client Settings



System rules



Application rules



Trojan rules



Default rule

Firewall policies generated for pRules contain rules created from the following: ■

pRules



Default rule

About installing the Symantec Client Firewall Migration Wizard The Symantec Client Firewall Migration Wizard is composed of two files, SCFMigrationTool.bat and SCFMigrationTool.jar. These files are available in the TOOLS directory on the installation CD and from Symantec technical support. The Symantec Client Firewall Migration Wizard also requires Java Runtime Environment (JRE) 1.5 or later and does not include this software. The wizard runs on all operating systems that are supported by the Symantec Endpoint

9

10

Installing and using the Symantec Client Firewall Migration Wizard Installing the Symantec Client Firewall Migration Wizard

Protection Manager. Symantec Endpoint Protection Manager does not run on Microsoft Vista, and Microsoft Vista is not supported. If you install the Symantec Client Firewall Migration Wizard on a computer that runs the Symantec Endpoint Protection Manager, installing JRE 1.5 or later is not necessary. Symantec Endpoint Protection Manager automatically installs JRE 1.5. If you install the Symantec Client Firewall Migration Wizard on a computer that does not run the Symantec Endpoint Protection Manager, you must install JRE 1.5 or later on that computer. You can download JRE 1.5 or later from http://www.sun.com. Additionally, if you install the Symantec Client Firewall Migration Wizard on a computer that does not run Symantec Endpoint Protection, you must set the PATH environment variable. The PATH environment variable must point to the JRE runtime folder. An example of a PATH command that you run from a command prompt follows: PATH=%PATH%;c:\Program Files\Java\j2rel1.5.0\bin

The %PATH%; entry preserves the existing path information, and the JRE directory information is appended to the existing path information. You can display the current path information with the PATH command.

Installing the Symantec Client Firewall Migration Wizard This installation method is a best practice and lets you quickly import migrated policies into the Symantec Endpoint Protection Manager. To install the Symantec Client Firewall Migration Wizard ◆

On a computer that runs the Symantec Endpoint Protection Manager, copy SCFMigrationTool.bat and SCFMigrationTool.jar to the following directory: \\Program Files\Symantec\Symantec Endpoint Protection Manager\bin

Converting Symantec Client Firewall policies The migration process involves selecting a policy file to migrate, and selecting an output directory.

Installing and using the Symantec Client Firewall Migration Wizard Converting Symantec Client Firewall policies

To convert Symantec Client Firewall policies

1

Copy the policies to migrate to a working directory.

2

Browse to and double-click SCFMigrationTool.bat.

3

In the Welcome panel, click Next.

4

In the Policy File Selection panel, click Browse and select a policy file to migrate from your working directory..

11

12

Installing and using the Symantec Client Firewall Migration Wizard Converting Symantec Client Firewall policies

5

Click Browse, select output directory, and then click Next.

6

In the Options and Migration panel, optionally uncheck policy files that you do not want to create, and then click Migrate.

7

When the migration completes, click Report to review the rules and options that were migrated.

Installing and using the Symantec Client Firewall Migration Wizard Importing migrated policies

8

In the Migration Status panel, click Finish.

9

Review the .dat files that are created in your output directory. You import these files with the Symantec Endpoint Protection Manager Console.

Importing migrated policies You can import two basic types of policies, Firewall and Intrusion Prevention. Firewall policies have output file names in the following formats: ■

Firewall policy—Default Location: .dat



Firewall policy—All Locations: _.dat



Firewall policy—pRules: _prule.dat

Intrusion Prevention policies have the output file name format _ips.dat. Note: Be sure that you import firewall policies under firewall. Attempting to import them under intrusion prevention will cause the import to fail. Be sure that you import intrusion prevention policies under intrusion prevention. Attempting to import them under firewall will cause the import to fail. To import migrated policies

1

Log on to the Symantec Endpoint Protection Manager Console.

2

Click Policies.

3

Do one of the following

4



Under View Policies, click Firewall.



Under View Policies, click Intrusion Prevention.

Do one of the following: ■

Under Tasks, click Import a Firewall Policy.



Under Tasks, click Import an Intrusion Prevention Policy.

5

In the Import Policy dialog box, browse to and select a migrated policy in your working directory.

6

In the right pane, click on and highlight the imported policy.

7

Under Tasks, click Edit the Policy and review the migrated policy.

13

14

Installing and using the Symantec Client Firewall Migration Wizard What's changed in Symantec Endpoint Protection Manager

What's changed in Symantec Endpoint Protection Manager This section identifies some differences between the Symantec Client Firewall Administrator and the Symantec Endpoint Protection Manager. Differences include the following: ■

Zone Rules and pRules that were locked when migrated from the Symantec Client Firewall Administrator are unlocked in Symantec Endpoint Protection Manager. They can be modified after they are imported.



Symantec Endpoint Protection Manager does not migrate IPS V1.x signatures.



All Symantec Client Firewall Administrator rules with a Monitor action are disabled when they are migrated to Symantec Endpoint Protection Manager. Action is reset to Allow and logging is enabled.



Custom Alert Messages are truncated to 127 characters in Symantec Endpoint Protection Manager.

New default rules for each location Symantec Endpoint Protection Manager creates some default rules for each location that you did not see in Symantec Client Firewall Administrator. These new default rules are created to duplicate the exact functional behavior of policies in Symantec Client Firewall Administrator. The new default rules for each location are based on the values that you select for following settings: ■

Rule Exception Handling property for each location



Custom Security Level—Access Control Alert in General Client Settings



Custom Security Level—Firewall Level in General Client Settings

Table 1-2 shows the new default rules for each location. Table 1-2

New default rules for each location

Rule exception handling

Access control alert

Firewall level

Default rule with action...

PROMPT

ENABLE

Any

Ask

PROMPT

DISABLE

Medium

Pass

PROMPT

DISABLE

High

Drop

Installing and using the Symantec Client Firewall Migration Wizard Migrating failed policies

Table 1-2

New default rules for each location (continued)

Rule exception handling

Access control alert

Firewall level

Default rule with action...

BLOCK

Any

Any

Drop

PERMIT

Any

Any

Pass

Migrating failed policies Five security policies have failed migration from Symantec Antivirus to Symantec Endpoint Protection 11.0. Table 1-3 shows the failed policies and the versions in which they are found. Table 1-3

Failed policies

Defect Number

Security policy

Symantec Antivirus Version

1142104

retailprules.cfu

9.x

1142133

VeryHighSecurity.xml

10 or 10.1

1142130

HighSecurity.xml

10 or 10.1

1142126

MediumSecurity.xml

10 or 10.1

1142121

LowSecurity.xml

10 or 10.1

The following procedure details a workaround that enables you to migrate these security policies. To migrate the failed policies

1

Open the Symantec Client Firewall Administrator.

2

If you are migrating from Symantec Antivirus 9.x, select the retailprules.cfu policy from the cd4 folder.

3

If you are migrating from Symantec Antivirus 10 or 10.1, select one of the following security policies from the cd4 folder: ■

VeryHighSecurity.xml



HighSecurity.xml



MediumSecurity.xml



LowSecurity.xml

15

16

Installing and using the Symantec Client Firewall Migration Wizard Migrating failed policies

4

Import the security policy into the Symantec Client Firewall Administrator.

5

Export the security policy from the Symantec Client Firewall Administrator using the Save As... command. The firewall administrator saves the file with a .cfp file extension.

6

Open the Symantec Client Firewall Migration Tool using the SCFMigrationTool.bat file from the command prompt. A wizard launches.

7

Browse and select the security policy file with the .cfp file extension.

8

Specify an output directory.

9

Click Next and Migrate.

10 Click Finish. The .dat files appear in your output folder and can be used in Symantec Endpoint Protection 11.0.

Related Documents

Scf Policy Migration Guide
December 2019 17
Migration Guide
May 2020 11
Migration Guide
October 2019 22
Migration Guide
October 2019 23
Scf
June 2020 9
Dns Migration Guide
May 2020 11