After an upgrade from 6.0 R2.0 to 6.1 R2.1 on an SA-2000, we have hit the same problem that we had in early April after we went to 2.0. Some XP SP2 computers are getting a host checker message that the firewall is not enabled while others work. After the 2.0 issue we "fixed" it by removing the XP SP2 firewall, saving the settings and then re-adding it. This time that trick is not working.
The Security Center says it's enabled, a port scan confirms it's enabled, the registry keys seem correct, but the Host Checker in ESAP 1.3.7 says it is not enabled.
Other people reported this on my last thread. Did anyone get a definitive answer as to how to fix this? I opened another JTAC case but the last time they could not help and would not tell me what precisely the host checker is looking for.
JTAC confirmed there is a known issue with detecting the XP SP2 firewall in ESAP 1.3.6 and 1.3.7. It should be fixed in ESAP 1.3.8 due by the end of Q2 (another month). We rolled back to ESAP 1.3.4 and the XP SP2 firewall is now detected correctly.
Unfortunately we wanted to start deploying Symantec Endpoint Protection v11 and now we can't. ESAP 1.3.7 correctly detected the SEP firewall and anti-virus. ESAP 1.3.4 correctly detected the anti-virus but it says the firewall is not working. <sigh>
I got the same issue. Instead of downgrading the ESAP package , i change my check method with a check in the database registry.
the key is in the HKEY_LOCAL_MACHINE : EnableFirewal, and the value is the following : 0 if disable and 1 if enable.
Perhaps this could help you.
Thanks for the suggestion. I actually ran RegMon as part of the troubleshooting and confirmed that is the key being looked at in the StandardPolicy and it is being queried successfully by ESAP 1.3.7. My problem is we have a variety of host checker policies at the realm level and we require them all to be passed before an end user can get to the login page. If I add that check as a new policy it will break the people who rely on a different firewall (one that switches off the XP firewall).
The host checker system needs some AND/OR logic in it. <sigh>
Could you perhaps create your own boolean custom host check using multiple standard host checks within a Role Mapping using custom expressions? i.e.
Service running AND Registry Check AND Process OR, etc, etc....??
Or is it easier to just wait for the new ESAP version?