Virtual Secure Web Gateway

Morning All,

I have configured a SWG 8450 within our network and have configured the system following the documentation provided a) with the product, b) through using the technical articles on the Symantec web site.

I have noticed that the system is picking up all traffic within the internal network, which is something I want to have the system ignore (with only outbound traffic beign picked up). Is this possible within the port/span configuration?

Any help or guidance would be appreciated.

Regards,
Andy
 

Have internal subnets been defined under Configuration -> Administration -> Network? If so does it include all the internal subnets used by your company?

Under the network configuration tab in the configuration page, the subnets for the internal network have been configured. the subnets configured cover all of those used within the UK domain for the company.

Andy

Can you provide a screenshot of the report showing the internal traffic as well as the network configuration?

have attached two screen shots - first showing the internal and external traffic being picked up; the second showing the network configuration for the system.

I see IP address 10.250.254.248 (I think that is the IP it is hard to see for sure on the screenshot as they have been scaled down). Which does not have the range listed in the internal networks. 

It appears that you are using the application monitoring feature which will see and report on the internal traffic. From your policy or policies. If you go to Application Control Categroies. Click the "Details All" Button. You can Change Directory and Authentication to Allow. This will no longer log those activities which should only be occuring internally in the network anyways.

Hi, Apologies - have attached a better image of the network configuration page. Within the policies I have enabled the Directory and Authentication to Allow, but the traffic is still showing up. Puzzling.

After making the policy changes did you click save and activate changes at the Policies:Configuration page?

Are the numbers in the report still increaseing or holding steady?

The policy has been in place for some time now and yes the policy was activated. However I have altered the priority of a policy in terms of the nesting capabilities in order to test the one policy affecting the whole company, and not just a sub group (Active Directory OU).

Hopefully this will give am more clearer pictur eof the traffic flow.

If any of the policies still have it set to monitor it will still show up for any users/systems that it applies to. So you may need to switch it to monitor in all the policies to have it stop all together.

The policies are set to either allow or block for Application Control Categories, so I would naturally assume that they would not appear in the logs unless the block rule was initiated.

Does anyone know of any other setting/configuration item which may need to be set to ensure that all non-pertinent internal traffic is logged (unless picked up by the blocking rules)?

Mnay thanks,

Andy

Hi,

I guess that in tap mode SWG is going to see as much as the tap port will forward to SWG.

If the ports of the switch are "seeing" internal traffic, a copy of each of those packets will be replicated into the tap so from the SWG configuration I cannot see a way to hide that but maybe I'm wrong.

Federico

You may have the Web Gateway in the wrong place. It should be placed on the switch closest to the firewall to avoid all of this traffic hitting the Web Gateway.