Endpoint Protection

dear guy

after i upgrade SEPM 12RU5 , network team monitor firewall have too much concurrent connection from client to SEPM , all is port 8014 ( see my picture)

what log can i turn off upload from client to SEPM ?  like traffic log , packet log , control log , application  log , clear check box " let client upload critical event immediately" ( i think this is new option in SEPM RU5 was enable by default )....is it good or not ?

Is this causing some sort of issue? If it isn't, I don't see what the problem is. How many clients do  you have?

Clients are always going to be communicating with the SEPM so I wouldn't recommend turning off logging as you will lose valuable info. Yea, you can turn off all those logs if you wish though.

You can set a longer heartbeat if you wish but clients still need to check in.

BTW, you may want to re-consider posting your internal networking info. You're giving away quite a bit of detail there to outsiders....

dear Brian

before upgrade to SEP RU5 , there are no problem with connection on firewall , i have more 8000 client , more 400 branch , in it branch have 2 GUP , i think some option was enable by default in SEPM RU5 ( but i dont know where) so i think the problem is client upload log, can you tell me the process of upload log , is it immediately or base on heartbeat ,, and the option " let client upload critical event immediately" is new in this version because in old version i dont this option ( correct me if i wrong )

Yes, uploading critical events immediately is a new feature in 12.1.5. You can disable this if you wish.

But again, is this actually causing a problem? performance issue, bandwidth?

Aside from uploading event immedaitely, every other upload of logs is based on the heartbeat setting.

yes , too many problem

the frist is bandwidth , it consume too much bandwith so i think that why SEP 12RU5 have bandwith limit mode , so now i was config for 40KB for 1 connection in each branch

the second is Firewall performance , it accept too much connection , now i try turn off not important log to upload and increase hearbeat to 3hours ( old setting is 1hours ).....

any recommend , Brian ?

Well the other thing you can do is leave that checked for uploading critical events immediately and set the heartbeat out longer (default is 4 hours). Or you can do both. You may need to test this a bit to get what you need.

And yes, use the new bandwidth control apache module for 12.1.5. Sounds like you're already doing that.

yes , bw control make me crazy,,,haha,,,but a lot of useful.,,,,why symantec not notify what option is new build when new RU release,,,,sometime make me crazy to find out ...

dear

network team say the connection still high , effect firewall performance , any recommend ? pls 

If you are using Pull mode (as I think) and heartbeat is at 3 hours, I don't think this traffic has something to do with the "normal" communication.

Perhaps something is wrong on the SEPM. E.g., while the SEPM is building the client's delta files, the clients are in an accelerated heartbeat of 1 minute to check when the SEPM is ready.

Just a guess, but perhaps the SEPM is not able to finish the building of definition files, and the clients are waiting in an infinite loop.

Please check if the SEPM has current definitions and the clients are properly updating. If there is some issue, the definitions on the SEPM may be corrupted.