Video Screencast Help

Logging Websites Visited

Created: 05 Mar 2013 • Updated: 05 Mar 2013 | 9 comments

Running Symantec End Point Protection Small Business Edition 12.1 

 

i am trying to setup a firewall rule in my policy to log when users visit websites. here is what i have done so far.

 

created a rule, allowed it and assigned the protocol to HTTP. i set it to log and then assigned the new policy to my computers. i logged into a few PCs and visited some websites then returned to the management console and went to monitor / logs / Network Threat protection and chose traffic. but i do not see any entries. am i looking in the right place for these logs? 

 

i also added the application of iexplorer.exe to the rule but still with no success. any help would be greatly appreciated. 

Operating Systems:

Comments 9 CommentsJump to latest comment

.Brian's picture

Are the entries being generated on the SEP client? Check the traffic log for this?

In the SEPM, check to make sure the logs are being sent to the SEPM. Go to the Clients tab >> Select the group with the PCs in that you created the rule for >> Click the Policies tab at the top >> on the right side under Settings, click on Client Log Settings. make sure the box "upload to management server" is checked under the Traffic log

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

YVNS's picture

i can see a couple logs for blocked UDP traffic but nothing for the allowed HTTP traffic.

 

When i log into the SEPM i dont see a clients tab, i have a HOME / MONITORS / REPORTS / POLICIES / ADMIN / SUPPORT tabs. 

.Brian's picture

Ahh I didn't catch that you were on SBE so you won't have a Clients tab. It is a limitation in SBE as compared to the Enterprise version.

if you don't see this in the traffic log, than the rule is may be incorrectly configured or logging is not set.

Are you able to post a screenshot of the rule?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

YVNS's picture

 please see attached for screen shot 

 

AttachmentSize
Firewall Rule WebLog.pptx 154.77 KB
.Brian's picture

That looks right. Unfortunately, I don't know SBE very well though. Have you checked other logs to see if it is showing up there?

What if you re-create the rule but set it up for port 80 and 443 as opposed to allowing the service?

Also, just to be clear you're not using a proxy server which may use another port for HTTP traffic?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

YVNS's picture

no proxy server, ill try to modify the rule with the port numbers and see if that helps. I have checked other logs and dont see anything coming through. 

.Brian's picture

Did you confirm the clients have the latest policy by comparing to what is in the SEPM? Maybe they didn't get it yet? Not sure what you're heartbeat is set to though...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

All the clients have network threat protection installed and rebooted?

Chetan Savade's picture

Hi,

I doubt you can find out the hostname of access/blocked web sites at remote machines.

I think Symantec mail gateway prodoct might have this feature.

About Computer Status reports and logs

http://www.symantec.com/docs/TECH95541

About Network Threat Protection reports and logs

http://www.symantec.com/docs/TECH95542

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<