Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

symantec web gateway - how to start using

Created: 24 Sep 2012 | 23 comments

Hi Guys,

sorry for the dumb question in advance but i could really do wioth some help

i have installed symantec web gateway virtual edition and i can log onto the web gateway using the ip i set up but now im stuck i am only using the management network using block port span/tap and have entered in my internal network gateway and subnet,  i have blocked the website facebook and twitter but i can still access them thru my network

why isnt it blocking it, can anyone help please

rob

Discussion Filed Under:

Comments 23 CommentsJump to latest comment

TSE-JDavis's picture

You need to have a router or switch with a span/tap port on it and wire this to the VM. The traffic has to pass through that switch for the Web Gateway to see it and send a block page to the client computer.

robertkwild's picture

Thanks, so just enable port span/ tap on the vm port that swg is connected to on the switch?

Also is there any other method ie inline or proxy setting I could use to block pages instead of using port span/ tap

Thanks again for your help

BenDC's picture

Keep in mind Span Tap mode nor inline mode will be able to block https traffic.

robertkwild's picture

Thanks but to change the mode you need more than one network interface connected up I'm trying to add the wan LAN networks so I can do proxy or proxy inline blocking but I can't seem to get the LAN network on the web gateway, when I click to enable separate management and inline networks i then enter the inline ip address and when i click to change the mode to block inline i then get the wan network link up but still the lan network is down, is there anyway to get the LAN link activated?

TSE-JDavis's picture

The WAN port is not used in Proxy mode.

robertkwild's picture

How do i enable lan mode tho? I have another virtual nic so thats no problem

robertkwild's picture

Basically is there any other way to get swg working without port tap span if so how do i get it to work ie what nics do i have to enable ie be up and running

robertkwild's picture

ok its looking positive, ive got all 3 networks up and active, ie wan lan and management and ive selected inline monitoring mode, i have selected 2 websites to blacklist but everytime i log on the 2 websites i get no log of it on the web gateway gui, i have no idea what i am doing wrong?

BenDC's picture

Just having the network interfaces up on a VM doesn't mean the traffic is passing/to/through the SWG.

When in inline mode the the SWG needs to physically be between your workstations that you are monitoring and the internet. This can be tricky depending on the hardware your VM is on. The LAN port should have a connection from your top level swith or switch of your test network then the WAN port should be to the firewall or router.

At the executive summary screen are the traffic counters and totals going up?

robertkwild's picture

no the counters arent incrementing, i have set up a policy to monitor all traffic and i have added the internal network to the config page and have blacklisted 2 websites and have set the mode to inline monitor?

BenDC's picture

If the counters are not incrementing the SWG is not getting any traffic.

for inline mode the SWG must be inbetween your clients and the internet, not simply on the same network.

robertkwild's picture

I have configured my swg on an esxi server with 3 virtual nics connected to it they are

Server - which is the management port

Staff - which is the lan port

Wan - which is the wan port

And on the webgateway i have enabled seperate management and inline networks and put the server ip address in the management and the staff network as the inline ip address which i beleive are for both lan and wan

TSE-JDavis's picture

This is a good start. You now need to physically place the SWG between your clients and the internet. This is typically done by plugging the WAN port into the Firewall and the LAN port into your core switch and making sure there is no way for the clients to bypass the SWG to get out to the internet.

BenDC's picture

you will need phyiscal nics for each of the virtual nics. Then you would plug the switch into the LAN port and the firewall to the LAN port and no other connection between the switch and firewall.

robertkwild's picture

But the inline management port its says lan/wan1 inline network so doesnt it only accept one ip address for both lan and wan or am i being stupid

Atm my lan/wan 1 inline network ip is on the staff network ie i have given it a lan ip

BenDC's picture

I have attached the getting started guide and the manual. Even in a virtual installation the SWG MUST sit between the LAN and Internet for the traffic to pass through it. It is not able to monitor traffic that is not passed to it, it does not pull trafic in to inspect.

The Symantec Web Gateway can inspect traffic if it is placed on a network even if it has a non-LAN IP address. When used in inline mode the Symantec Web Gateway is a transparent network bridge, the only time the IP address would matter would be for block pages and management, not inspection/monitoring.

To use the SWG in inline mode you must recable your network not simply set an IP and expect it to work.

AttachmentSize
Symantec_Web_Gateway_5.0_Implementation_Guide_EN.pdf 2.55 MB
Symantec_Web_Gateway_5.0_Getting_Started_Guide_EN.pdf 1.39 MB
robertkwild's picture

Yeah ive read the instructions and there no help i dont understand them as im here asking the question, so what ip address do i put in the inline network

TSE-JDavis's picture

The WAN port and LAN port have the same IP address which is why you hook one up to your Firewall and one up to your Switch. Think of it like a water filter. The web traffic has to physically pass through the Web Gateway in order to be filtered so you would need the Web Gateway to be place as close to the internet as possible, just like the water filter would be placed as close to your water source as possible so all the water in your house is filtered by it.

The LAN and WAN ports don't even need an IP, that is optional. It acts as a passthrough device.

robertkwild's picture

It is in between the LAN network and wan as they both say there active so theoretically swg is the filter between the wan and the LAN, so why does it ask for an IP address for the inline network if it doesn't really need one

TSE-JDavis's picture

It is best practices to put an IP address in.

robertkwild's picture

What IP address tho a wan one or a LAN one as I tried to put it on the same range as my management ip but it wouldn't take it or should it be a DMZ address

SMLatCST's picture

The reason you are being asked for an IP address for the LAN/WAN port is because you have chosen to use the "Proxy/Inline" mode.  One of the pre-requisites for enabling any of the Proxy modes is that you enable the "Separate Management and Inline Networks" option, and the pre-requisites of this option is that they reside on different subnets (which is most likely why it's rejecting your attempted config).

If all you want to do is block web pages, then either the "Proxy only" or the "Span/Tap" operating modes will do the trick for you (note that while "Span/Tap" mode can block web sites/pages from loading, it can't block actual files from being downloaded).  I'd personally avoid either of the "Inline" modes in a VM implementation of SWG.

For any VM implementation of the SWG you will need at least one additional dedicated physical NIC (more if you want to use one of the "Inline" modes).  If you don't have a spare unused NIC on your VM Host machine then you'll need to go obtain one wink

As far the configuration for each mode goes, the "Span/Tap" mode is (I find) the easier of the two, but does require a managed switch and your network admins' help normally.  The "Proxy Only" mode requires IP addresses on different subnets and configuring browsers to point at the SWG's WAN/LAN port's address (which is acting at the proxy server).

The details of the config are in the Implementation Guide, but the above info will hopefully give you an idea of how it fits in, and how I believe you'd most easily accomplish your task of blocking webites.

As an aside, you may wish to contact Symantec for referral to a Partner (such as ourselves) who may be able to aid you in setting the SWG up.

robertkwild's picture

mmm i called symantec and they called me back and they explained SWG doesnt support VLAN Tagging and all our virtual machines use vlan tags so im afraid i have answered my own question, damn