post

How to: Restrict Symantec Endpoint Protection (SEP) Updates using Exinda

We’ve had a few situations where Symantec Endpoint Protection (SEP) updates have caused problems over the WAN.

Historically, SEP updates have been distributed using BITS and have had little significant impact. More recently, the updates seem to have become much larger and are distributed using HTTP on port 8014.

Normally, this would be straight forward to restrict on the Exinda, using a simple TCP application definition. However, Exinda appliances use port 8014 for the Exinda Community, so restricting that could have a detrimental effect on the overall Exinda setup.

So to limit the Symantec traffic, without disrupting the Exinda community, we can define a granular application (using Exinda’s layer-7 application matching rules) and a tight policy just for this traffic.

To start with, we can define the Symantec server itself as a network object. This is not strictly necessary, but it can aid reporting or management.

 

Next we define the application. SEP shows up as HTTP on port 8014. On the Exinda’s real-time monitor it can show either the server name or the IP address, so we’ll define both.

Finally we create a new policy. In principle we can match anything using the SEP Server application, but we can get a tighter match by putting in both the server and the application.

Save the policy, restart the optimiser, and in real-time view the SEP traffic should be correctly matched and restricted.

Once this is tested, we can also consider turning on acceleration – the SEP updates are consistent and repetitive, so can benefit significantly from Exinda acceleration.

 

 

Leave a Reply