Video Screencast Help

SEP Firewall "Did You Know...?" - How To Monitor Web Traffic

Created: 26 Nov 2013 • Updated: 27 Nov 2013 | 9 comments
Language Translations
_Brian's picture
+7 7 Votes
Login to vote

Did you know that it IS possible to monitor web traffic using the SEP firewall? In this article, I will show you how to monitor web traffic using the SEP firewall.

Before we get started there are a couple of things you should be aware of:

  1. While the SEP firewall can handle this task, Symantec Web Gateway is a better fit if you need to do this permanently
  2. Monitoring web traffic will not work correctly if your web traffic goes through a proxy server. SEP cannot differetiate between proxied and non-proxied traffic. Another reason why SWG works better for this task.

With that in mind, let's get started.

Request: Monitor web traffic (port 80 and 443)

Solution: Configure the SEP Firewall to handle this task

The first step is to create a new network service for 80/44 traffic

Login to you SEPM and navigate to Policies >> Policy Components and highlight Networks Services. Under Tasks click Add a Network Service...

Type in a Service Name (Web Traffic) and click Add...

Leave the Protocol at TCP and add 80,443 in the Remote Port line. Click OK

You should see the following:

1_9.JPG

 

One that is created, we can move on to adding a rule to the SEP firewall to monitor the traffic

Go into the Policies page and highlight the Firewall policy. Add a Firewall policy and give it a name (Monitor Web Traffic)

Click Add Rule...

Give the rule a name (Log_Web_Traffic)

Select the radio button for Allow Connections

Select the radio button for Only the applications listed below: and click Add...

Enter iexplore.exe in the File Name field and click OK. You can add more browser names if you wish.

2_9.JPG

Click Next

Leave the radio button checked for Any computer or site. Click Next

Now, we need to select our newly created network service. Check the radio button for Only the communications selected below:

Put a check in the Web Traffic box and click Next:

3_9.JPG

 

Select the radio for Yes to create a log entry when the rule is matched. Click Finish and make sure the new rule is at the top of the stack.A ssign the new policy to the groups you want to monitor traffic on and ensure the clients get the new policy.

Once clients start browsing, you can verify the rule is working by checking the logs on the SEPM. Monitors >> set Log type to Network Threat Protection, set Log content to Traffic. Edit any advanced settings that you want and click View Log

You will get a log similar to the below screenshot:

4_5.JPG

 

You will likely need to highlight one of the lines and select Details to get more granular. Here we get a better view:

5_5.JPG

 

So there you have it. Monitoring web traffic using the SEP firewall. It's really just a quick and dirty way to do it if you need something temporarily. Hopefully this has been helpful for you.

 

 

 

 

 

Comments 9 CommentsJump to latest comment

batuhancalin's picture

Very nice Brian thank you.

+1
Login to vote
Mick2009's picture

Another excellent article, Brian!

These how-to's can provide a few extra details....

Editing a policy
http://www.symantec.com/docs/HOWTO18054

Adding network services
http://www.symantec.com/docs/HOWTO18291

Adding network services to a rule
http://www.symantec.com/docs/HOWTO18289
 

Also, one note: these web monitoring logs can (and will, especially if the policy is applied to a large organization) result in a good deal of extra network bandwidth consumed between the SEP clients and the SEPM.  It will also mean that the SEPM has to store (and process) a lot of extra infromation into its database.  There will be a performance hit. 

SEPM: poor database performance
http://www.symantec.com/docs/TECH155046 
 

 

Like Brian says, above, it really is recommended to use SWG or another similar tool rather than SEP for this task.

 

With thanks and best regards,

Mick

+1
Login to vote
AjinBabu's picture

Nice one Brian,

Thanks

Ajin

+1
Login to vote
Ch@gGynelL_12's picture

Great Article. Truly helps. Thanks for posting.

 

 

+1
Login to vote
Simon Eng's picture

Hi,

Thanks for the great article.

Possible show us how we can forward the SEP log to Symantec SIEM?

Regards.

+1
Login to vote
_Brian's picture

Actually, the Symantec SIM has a collector which plugs right into the SEPM database so there is nothing that needs to be done from the SEPM side.

0
Login to vote
Chetan Savade's picture

Nice job Brian.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote