This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM).  Giving details about the process and explaining how  the client and the management server communicate.

HEARTBEAT OVERVIEW

Symantec Endpoint Protection clients and management servers exchange status information, content data, and policy information. Clients initiate this communication with Symantec Endpoint Protection Manager.  Version 14 and later clients communicate with management server using HTTPS and the TLS 1.2 protocol.
 
Symantec Endpoint Protection Manager connects to the client with a communications file called Sylink.xml. The Sylink.xml file includes the communication settings such as the IP address of the management server and the heartbeat interval.
 
The sylink file performs many of its functions during the heartbeat. The heartbeat is the frequency at which client computers upload logs to the management server, and download policies and commands.
The sylink file contains:
 • The public certificate for all management servers.
 • The KCS, or encryption key.
 • The Domain ID that each client belongs to.

HEARTBEAT INTERVAL

The frequency with which the client communicates with and retrieves settings from the server.
At each heartbeat, the server takes the following actions:
 • Updates the logs.
 • Updates the security policy.
 • Checks the communication status between the client and the server.
The default heartbeat interval is 5 minutes.

HEARTBEAT PROCESS

1.      SEP client reads sylink.xml to determine first available SEPM according to priority.
2.      SEP client connects to SEPM.

• If session cannot be established within 30,000 milliseconds, check-in process terminates until the next heartbeat interval.

3.      SEP client performs an HTTP GET of index.dat from the SEPM and compares it against the client copy for any deltas.

• Content differences will check against LiveUpdate policy for current location.

4.      SEP client performs an HTTP GET request to obtain URLs to download files.

• URLs will correspond to the SEPM or GUP depending on LiveUpdate policy.
• If SEPM is specified, content will download over TCP 8014 (recommended web site port).
• If GUP is specified, content will download over TCP 2967.

5.      SEP client uploads log files to SEPM.
6.      SEP client uploads LAN sensors and learned application logs to SEPM.
7.      SEP client disconnects from SEPM.

• When communication mode is set to Pull, the SEP client will check in again at the next heartbeat interval.
• When communication mode is set to Push, the SEP client does not fully disconnect, which allows any policy changes made in SEPM to occur immediately on the SEP client.

HEARTBEAT SIZE

When there are no new client-side logs to upload to the management server, or policy or content to download from the server, the size of the Symantec Endpoint Protection client heartbeat is between 3KB and 5KB. This file size is based on the size of the file that we use to determine if there is anything to download (index2 file).

When all client protection technologies are enabled and the maximum level of client logging is enabled (with the exception of packet-level firewall logging, which is not recommended in production environments), the size of a typical heartbeat is between 200 KB and 300 KB.  The max upload is determined by the default max upload log count (100), where for example, each record is 1k so that is 100K and then you throw in op-state upload and maybe some app learning upload and you get the 200 to 300 KB.

MODIFY THE FOLLOWING CLIENT-SERVER COMMUNICATION SETTINGS IN EACH SEPM GROUP TO IMPROVE NETWORK PERFORMANCE

• Use pull mode instead of push mode to control when clients use network resources to download policies and content
  updates.
• Increase the heartbeat interval. For fewer than 100 clients per server, increase the heartbeat to 15-30 minutes. For 100
  to 1,000 clients, increase the heartbeat to 30-60 minutes. Larger environments might need a longer heartbeat interval.
  Symantec recommends that you leave "Let clients upload critical events immediately" checked.
• Increase the download randomization to between one and three times the heartbeat interval.