This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application system and savservice was blocked by an endpoint firewall

On my newly imaged windows 10 pcs (1803) I am seeing these items in the event log.

never had this before.  Just wondering what these thing are

  Jun 27, 2018 10:51 AM Application svchost was blocked by an endpoint firewall  
    Jun 27, 2018 10:43 AM Application savservice was blocked by an endpoint firewall  
    Jun 25, 2018 1:31 PM Application system was blocked by an endpoint firewall  
    Jun 25, 2018 10:21 AM Update succeeded  
    Jun 25, 2018 10:14 AM Application svchost was blocked by an endpoint firewall  
    Jun 25, 2018 9:42 AM Update succeeded  
    Jun 25, 2018 9:26 AM Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com.  
    Jun 22, 2018 1:53 PM Application lsass was blocked by an endpoint firewall  
    Jun 22, 2018 1:52 PM Application system was blocked by an endpoint firewall  
    Jun 21, 2018 8:41 PM Application savservice was blocked by an endpoint firewall  
    Jun 21, 2018 4:58 PM Application svchost was blocked by an endpoint firewall  
    Jun 21, 2018 4:53 PM Application svchost was blocked by an endpoint firewall


This thread was automatically locked due to age.
Parents
  • Hi waynecutler,

    Sophos Central now monitors Windows Firewall on most Windows desktops and servers. Please review this article for details.
    You may also want to  have  a look at this link for additional information 

    You can find the settings in central under Overview --> Endpoint Protection Dashboard --->Policies --> Windows Firewall

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • See below

    Monitor Type

    In Monitor Type, select the level of monitoring you want:

    • Disabled. Devices won't report their firewall status to Sophos Central.
    • Monitor Only. Devices will report their firewall status to Sophos Central. This is the default option.
    • Monitor and Configure Network Profiles. Devices will report their firewall status to Sophos Central. You can also choose whether to block or allow inbound connections on Domain NetworksPrivate Networks and Public Networks.

  • Hello Celso and waynecutler,

    Regarding the Policy, while in "Monitor only" it reports the current status of your Firewall to Sophos Central. So if your firewall is set up to block those files, then you will receive an alert via Central. To change the block behavior, you'll need to make changes on the firewall itself.
    Is Windows Firewall managed by GPO? If that's the case, please have a look at this article.

    I have reviewed the documentation and did not see the "disabled" option in Central either. I will find out more about this option and get back to you with an update. 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Yes, we are using a GPO firewall. In that article it says "In instances where Windows Endpoints and Servers have the Windows Firewall managed by Group Policy (GPO), the configuration set in the Windows Firewall policy will not be applied."

    That means Sophos will then not apply the GPO policies for the firewall? What is it good for?

    How can we get our firewall policies working again? Nothing was changed and it was working until this.

    I tried to configure the policy to "Allow all" but it in fact DISABLES the Windows Firewall altogether.

Reply
  • Yes, we are using a GPO firewall. In that article it says "In instances where Windows Endpoints and Servers have the Windows Firewall managed by Group Policy (GPO), the configuration set in the Windows Firewall policy will not be applied."

    That means Sophos will then not apply the GPO policies for the firewall? What is it good for?

    How can we get our firewall policies working again? Nothing was changed and it was working until this.

    I tried to configure the policy to "Allow all" but it in fact DISABLES the Windows Firewall altogether.

Children
  • Hello Celso,

    I reached out to our team and gathered the following information regarding the disable option: 

    The disable option listed in the documentation is incorrect. The policy is enabled at all times, cannot be disabled and that option does not exist. The documentation will get updated to reflect this.

     

    As for your other questions:

     

    In instances where Windows Endpoints and Servers have the Windows Firewall managed by Group Policy (GPO), the configuration set in the Windows Firewall policy will not be applied. This is to prevent issues as a result of endpoints being partially managed by two different mechanisms.  --> This means Sophos will not apply any chances via Sophos policy, as you already have a GPO in place taking care of the Firewall . 

    Using the monitoring only feature will report your firewall status to Central. The settings that you are using on your Firewall will be reported to Central, Sophos will not managed those.

    The other option is to set the Monitor and Configure network profile options, as covered in the article + documentation provided before:
    The following connection types can be configured for each profile:

    Allow All: Allows all inbound traffic through the firewall.

    Block (with exceptions): It makes use of the computers Local Policy or Windows Group Policy configuration for inbound application connection blocking. This is not configured by Sophos Central. If no exceptions have been configured, all inbound connections are blocked.

    Block All: Provides inbound application connection blocking against all network connectivity.

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.