Did you know that it IS possible to monitor web traffic using the SEP firewall? In this article, I will show you how to monitor web traffic using the SEP firewall.
Before we get started there are a couple of things you should be aware of:
- While the SEP firewall can handle this task, Symantec Web Gateway is a better fit if you need to do this permanently
- Monitoring web traffic will not work correctly if your web traffic goes through a proxy server. SEP cannot differetiate between proxied and non-proxied traffic. Another reason why SWG works better for this task.
With that in mind, let's get started.
Request: Monitor web traffic (port 80 and 443)
Solution: Configure the SEP Firewall to handle this task
The first step is to create a new network service for 80/44 traffic
Login to you SEPM and navigate to Policies >> Policy Components and highlight Networks Services. Under Tasks click Add a Network Service...
Type in a Service Name (Web Traffic) and click Add...
Leave the Protocol at TCP and add 80,443 in the Remote Port line. Click OK
You should see the following:
One that is created, we can move on to adding a rule to the SEP firewall to monitor the traffic
Go into the Policies page and highlight the Firewall policy. Add a Firewall policy and give it a name (Monitor Web Traffic)
Click Add Rule...
Give the rule a name (Log_Web_Traffic)
Select the radio button for Allow Connections
Select the radio button for Only the applications listed below: and click Add...
Enter iexplore.exe in the File Name field and click OK. You can add more browser names if you wish.
Leave the radio button checked for Any computer or site. Click Next
Now, we need to select our newly created network service. Check the radio button for Only the communications selected below:
Put a check in the Web Traffic box and click Next:
Select the radio for Yes to create a log entry when the rule is matched. Click Finish and make sure the new rule is at the top of the stack.A ssign the new policy to the groups you want to monitor traffic on and ensure the clients get the new policy.
Once clients start browsing, you can verify the rule is working by checking the logs on the SEPM. Monitors >> set Log type to Network Threat Protection, set Log content to Traffic. Edit any advanced settings that you want and click View Log
You will get a log similar to the below screenshot:
You will likely need to highlight one of the lines and select Details to get more granular. Here we get a better view:
So there you have it. Monitoring web traffic using the SEP firewall. It's really just a quick and dirty way to do it if you need something temporarily. Hopefully this has been helpful for you.