Endpoint Protection

Looking for information about several topics, all related.

We have excessively high traffic on our SonicWall's outbound X0 WAN port.

We suspect it may be SEPM updating many clients during the morning hours because this excessive traffic drops off in the PM.

Our SonicWall's ViewPoint shows huge web traffic to our SEP server.

1) How much bandwidth do the updates require per computer?? -- just LiveUpdate definitions etc., NO product updates (e.g. upgrades etc.)

2) What is the current KB article for setting up Group Update Providers in 12.x version??

We did NOT have this bandwidth etc. problem with 11.x or earlier versions of SEP...

3) What other settings could be reviewed to ensure that SEP/SEPM does not eat excessive bandwidth??

4) Any suggestions on how/what to monitor SEP bandwidth usage??

Thank you, Tom

Check if you have added any package in the client autoupgrade. thats causes traffic

Use this tool

http://www.symantec.com/business/support/index?page=content&id=TECH156558

Hi,

Check this article

Which Communication Ports does Symantec Endpoint Protection 11.0 use?

http://www.symantec.com/business/support/index?page=content&id=TECH102416

You are guessing SEPM is using bandwidth, but if all the clients are within LAN then there would be less posibility clients are taking bandwidht usage. Only if clients are requesting full.zip then there would be possibility.

Sylink monitor logs can tell us what clients are requesting.

If you have WAN connectivity then you will have to check GUP connectivity & GUP clients logs.

 

 

My question was a request for info on HOW to establish GUPs for 12.x version (both 12.x and 11.x clients are in use)...I have no way to know if the procedure varies according to what version SEPM we have, our current SEPM is 12.x.

Looking at the ports list it appears I should try to check port 8014 since we have 11.x MR3 and later clients.

Most of our clients are in other buildings, over VPN connections.

We do not use client auto-upgrade.

How large *are* the daily LiveUpdate files??

Thank you, Tom

How/where can these Sylink monitor logs be found??

Thank you, Tom

Check the explaination from Paul

https://www-secure.symantec.com/connect/forums/endpoint-protection-11-definition-update-size

Hi,

You are using VPN connection for other building.

Could you please elaborate your scenerio ? how many clients do you have in each location ? are you configuring thorugh Single SEPM ? Is there any GUP configured previosly ?

GUP configuration is same for both SEP 11.x (RU5 later ) and SEP 12.1

New features and functionality in Symantec Endpoint Protection Release Update 5 (SEP RU 5) Group Update Provider (GUP)

http://www.symantec.com/business/support/index?page=content&id=TECH96417&locale=en_US

How to confirm if Clients are receiving LiveUpdate content from Group Update Providers (GUPs)

http://www.symantec.com/business/support/index?page=content&id=TECH97190&locale=en_US

As you said earlier few clients are on MR3, it's always good practice to have both SEPM and SEP clients on same version.

Daily liveupdate files are in  few Mega bytes.

Hi,

Check this

http://www.symantec.com/business/support/index?page=content&id=TECH103369

3) What other settings could be reviewed to ensure that SEP/SEPM does not eat excessive bandwidth??

Save as many content revisions as possible. The more content revisions you have, the bigger is the probability that the clients/GUPs will just pull a very small delta file--and not a full download (about 140 MB).

Symantec will send about three LU packages per day. If you want to cover a complete week, you have to store 21 content revisions. Of course, if you choose to get only one package per day, you only need to save 7 revisions.

SEPM console:

Admin > Server > Local Site > Site Properties > LiveUpdate

4) Any suggestions on how/what to monitor SEP bandwidth usage??

The SEP Content Distribution Monitor tool (see Rafeeq's first post) was updated to 12.1:

http://www.symantec.com/connect/downloads/new-sep-content-distribution-monitor-gup-health-checking

its mostly on KB's , however it al depends on the signature that is been include on that day. SEP releases 3 definition daily, which is in KBs.

Using IIS Logs you can understand which client downloaded what and what was the size. Since clients are connecting from VPN so the traffic will hit your Sonicwall. Also on the VPN network how many GUPs do you have and have you configured the bandwidth setting for GUPs

Hi,

I have found this article which you have asked for couple of time

How much bandwidth is used by a SEP Client in One day ?

https://www-secure.symantec.com/connect/forums/sep-12x-bandwidth-and-gup-questions