Symantec 12 traffic

I am working on a network that runs sep12 console. Remote clients connect into the console for policy changes, log uploads and virus def's. I can see lots of port 8014 traffic but how do I know if this traffic relates to the def downloads or if this relates to log files. I want to separate out the two so I have a clear view on exactly how much data is crossing the link.
LVL 6
Sid_FAsked:
Who is Participating?
 
btanExec ConsultantCommented:
See the GUP configuration,
To configure a single Group Update Provider

In the Group Update Provider dialog box, under Group Update Provider Selection for Client, click Single Group Update Provider IP address or host name....
When you configure an explicit list of Group Update Providers, you can specify that Symantec Endpoint Protection clients with IP addresses that fall on a particular subnet should use a particular Group Update Provider. Note that a client may have multiple IP addresses and that Symantec Endpoint Protection considers all of its IP addresses when it matches the Group Update Provider to use. So, the IP address that the policy matches to is not necessarily bound to the interface that the client uses to communicate with the Group Update Provider.

For example, suppose that a client has IP address A, which it uses to communicate with the Symantec Endpoint Protection Manager and with the Group Update Provider. This same client also has IP address B, which is the one that matches the Explicit Group Update Provider that you have configured in the LiveUpdate Settings policy for this client. The client can choose to use a Group Update Provider based on the address B, even though that is not the address that it uses to communicate with the Group Update Provider.
http://www.symantec.com/business/support/index?page=content&id=HOWTO80900
To search for the clients that act as Group Update Providers, follow these steps:

In the console, click Clients.
On the Clients page, on the Clients tab, in the View box, select Client status.
In the Tasks pane, click Search Clients.
In the Find box, select Computers.
In the In Group box, specify the group name.
Under Search Criteria, in the Search Field column, select Group Update Provider.
Under Search Criteria, in the Comparison Operator column, select =.
Under Search Criteria, in the Value column, select True. Click Help for information on the search criteria.
Click Search
http://www.symantec.com/business/support/index?page=content&id=TECH96419
0
 
btanExec ConsultantCommented:
Can check client activity log e.g. Goto Monitors > Logs > Log type=System > Log content=Client Activity ..there should have some event type column stated in the listing
- See "How can we check which content SEP 12.1 clients are downloading from GUP?"
http://www.symantec.com/connect/articles/how-can-we-check-which-content-sep-121-clients-are-downloading-gup

Or even have GUP Monitor configured.
See  - http://www.symantec.com/connect/forums/how-identify-if-gup-getting-updates-sepm

in case of client troubleshooting for the heavy traffic, see "Troubleshooting Client Communication"
http://www.symantec.com/connect/articles/troubleshooting-client-commuincation

But do note that on the client machine, there can be more log in default path such as C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Logs\AV which depends on the log rotation and retention configured in SEP client's setting (e.g. Clients > My Company > Policies tab > Client Log Settings ). You may see discrepancies with SEPM and Client log as the retention period at each is not really in sync per say. SEPM tends to be shorter since it is seeing most clients - See this
Insufficent log retension settings to accomplish a 60 day report.

By default, a SEPM is configured to hold 10,000 entries of System Client-Server Activity logs. Depending on the amount of activity on a set of client and the number of clients attached to a SEPM, this limit may not be large enough to hold 60 days of data.
http://www.symantec.com/business/support/index?page=content&id=TECH184978
0
 
Sid_FAuthor Commented:
Thanks, just a few queries on the gup end and please excuse my ignorance for some of this!

If a client is configured for a gup does it scan its local network or does it need to be told the ip of the gup
Can a client be configured to look for a gup first and then go externally to Symantec for its updates if it doesn't find the gup?

Thanks
0
 
Sid_FAuthor Commented:
Great response thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.