Learn how you can prevent the Deep Security Agent (DSA) from changing the Windows Firewall settings.
By default, DSA installation will disable Windows Firewall. However, if Windows Firewall is enabled via GPO, then Deep Security will not be able to turn off Windows Firewall.
In some cases, Deep Security may not turn off Windows Firewall, but will modify its port and process exclusions and cause legitimate applications to be blocked by Windows Firewall.
To resolve this issue:
- Download the DSA MSI package transform file for your Deep Security version. This will prevent the Deep Security Agent from trying to change the Windows Firewall settings.
- Use the following command to install the MSI package:
msiexec /i <path to Agent.msi> TRANSFORMS=<path to Leave_Firewall.mst> /L*v c:\dsa_install.log
Note: In some environments running Deep Security 9.0, the TRANSFORMSSECURE setting may need to be used along with the MST file. The command would then be:
msiexec /i <path to Agent.msi> TRANSFORMS=<path to Leave_Firewall.mst> TRANSFORMSSECURE=0 /L*v c:\dsa_install.log
Setting the TRANSFORMSSECURE property to "0" informs the installer that transforms are not to be cached locally on the user's computer in a location where the user does not have write access.
- MSI install log file that will be created (C:\dsa_install.log)
- Screenshot of the firewall "show state" command before and after the DSA installation:
netsh firewall> show state