Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

SWG in span/tap mode : blocking policy doesn't work

Created: 16 Jan 2013 • Updated: 01 Feb 2013 | 6 comments
mse_acos's picture
This issue has been solved. See solution.

Hi,

 

I have a SWG virtual edition in span/tap mode, and the monitoring mode works perfectly.

My network configuration : Management card & Monitoring card, in span/tap mode.

 

I have modified my configuration in blocking mode, and also configured my default policy to block some categories.

My users still can reach the websites in this category, they don't get a page telling them those websites are forbidden. When I check the Web destinations menu, I can see the action taken by SWG is blocked instead of monitored (which is correct).

 

I see that in the span/tap mode network configuration, I have the possibiliy to add the LAN adapter to my configuration. Do I have to do this in order to use the blocking mode? Or do you have any idea why I can't use this mode?

 

Thank you in advance, and best regards,

 

Mathieu

Comments 6 CommentsJump to latest comment

SMLatCST's picture

How is your network setup?  Are your users on the same subnet as your SWG, or are you able to test from a machine on the same subnet as the SWG?

mse_acos's picture

Yes, users are on the same subnet than the Management card. I never had to configure the IP address on the monitoring card, which is connected on the switch in span/tap mode.

mse_acos's picture

No, I'll check my switch configuration and I'll be back after. Thank you!

 

yang_zhang's picture

You need to change the mode of your SWG into Inline mode. The block action doesn't work under a SPAN/TAP mode.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
SMLatCST's picture

Blocking works fine in span/tap mode for web pages.  Doesn't work for AV scan file downloads though.  I'd recommend checking out the below article for what can/cannot be blocked in the various SWG modes:

http://www.symantec.com/docs/HOWTO54160