Video Screencast Help

SEP Firewall "Did You Know...?" - How To Monitor Web Traffic

Created: 26 Nov 2013 • Updated: 27 Nov 2013 | 11 comments
Language Translations
ℬrίαη's picture
+8 8 Votes
Login to vote

Did you know that it IS possible to monitor web traffic using the SEP firewall? In this article, I will show you how to monitor web traffic using the SEP firewall.

Before we get started there are a couple of things you should be aware of:

  1. While the SEP firewall can handle this task, Symantec Web Gateway is a better fit if you need to do this permanently
  2. Monitoring web traffic will not work correctly if your web traffic goes through a proxy server. SEP cannot differetiate between proxied and non-proxied traffic. Another reason why SWG works better for this task.

With that in mind, let's get started.

Request: Monitor web traffic (port 80 and 443)

Solution: Configure the SEP Firewall to handle this task

The first step is to create a new network service for 80/44 traffic

Login to you SEPM and navigate to Policies >> Policy Components and highlight Networks Services. Under Tasks click Add a Network Service...

Type in a Service Name (Web Traffic) and click Add...

Leave the Protocol at TCP and add 80,443 in the Remote Port line. Click OK

You should see the following:


One that is created, we can move on to adding a rule to the SEP firewall to monitor the traffic

Go into the Policies page and highlight the Firewall policy. Add a Firewall policy and give it a name (Monitor Web Traffic)

Click Add Rule...

Give the rule a name (Log_Web_Traffic)

Select the radio button for Allow Connections

Select the radio button for Only the applications listed below: and click Add...

Enter iexplore.exe in the File Name field and click OK. You can add more browser names if you wish.


Click Next

Leave the radio button checked for Any computer or site. Click Next

Now, we need to select our newly created network service. Check the radio button for Only the communications selected below:

Put a check in the Web Traffic box and click Next:


Select the radio for Yes to create a log entry when the rule is matched. Click Finish and make sure the new rule is at the top of the stack.A ssign the new policy to the groups you want to monitor traffic on and ensure the clients get the new policy.

Once clients start browsing, you can verify the rule is working by checking the logs on the SEPM. Monitors >> set Log type to Network Threat Protection, set Log content to Traffic. Edit any advanced settings that you want and click View Log

You will get a log similar to the below screenshot:


You will likely need to highlight one of the lines and select Details to get more granular. Here we get a better view:


So there you have it. Monitoring web traffic using the SEP firewall. It's really just a quick and dirty way to do it if you need something temporarily. Hopefully this has been helpful for you.

Comments 11 CommentsJump to latest comment

batuhancalin's picture

Very nice Brian thank you.

Login to vote
Mick2009's picture

Another excellent article, Brian!

These how-to's can provide a few extra details....

Editing a policy

Adding network services

Adding network services to a rule

Also, one note: these web monitoring logs can (and will, especially if the policy is applied to a large organization) result in a good deal of extra network bandwidth consumed between the SEP clients and the SEPM.  It will also mean that the SEPM has to store (and process) a lot of extra infromation into its database.  There will be a performance hit. 

SEPM: poor database performance 

Like Brian says, above, it really is recommended to use SWG or another similar tool rather than SEP for this task.

With thanks and best regards,


Login to vote
AjinBabu's picture

Nice one Brian,



Login to vote
Ch@gGynelL_12's picture

Great Article. Truly helps. Thanks for posting.

Login to vote
BalaP's picture

Good article..

Login to vote
Simon Eng's picture


Thanks for the great article.

Possible show us how we can forward the SEP log to Symantec SIEM?


Login to vote
ℬrίαη's picture

Actually, the Symantec SIM has a collector which plugs right into the SEPM database so there is nothing that needs to be done from the SEPM side.

Click the "Mark as solution" link at bottom left on the post that best answers your question. This benefits admins looking for a solution to the same problem.

Login to vote
Chetan Savade's picture

Nice job Brian.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Login to vote
Mohammad Altaf Khan's picture

how can we monitor the web traffic which is going through Proxy server.?

I create the same above rule but it only shows proxy server. 

Login to vote
ℬrίαη's picture

Yep, SEP is not proxy aware and cannot tell the difference between proxied and non-proxied traffic. This is a limitation.

Click the "Mark as solution" link at bottom left on the post that best answers your question. This benefits admins looking for a solution to the same problem.

Login to vote