SWG Web UI login slow and/or other report performance issues. Botnet report slow to load or times out.

book

Article ID: 157736

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

Logging in to the Web UI takes longer than expected.

Loading Incident reports take longer than expected.

Botnet reports take more than 2 minutes to load or time out.

Logging in to the Web UI and/or loading incident reports take longer than expected.

The botnets report times out or loads slowly taking more than 1 or 2 minutes.

Cause

Symantec Web Gateway generates events for several activities that happen on the Web Gateway. The events and incidents history is stored on the database. When you view any report, Symantec Web Gateway uses these events to generate the data. However, when the number of events on the database is high, the performance of the appliance may degrade.

Resolution

Botnet reports

Steps to implement the recommended solutions are as follows:

1. Identify the infected clients based on these reports, disconnect them from network, clean them up/quarantine.
2. After this certain steps must be performed in SWG GUI to move these clients to repaired or quarantine clients.
3. You must identify if the infected PCs are servers and add them into the SWG Administration->Configuration->Servers. Refer to the reports to identify the servers.
4. Additionally, a network audit must be conducted to understand how/why the network has been attacked.

 

Following are the steps that need to be performed while cleaning up the infected clients:

1. Select the Infected Client(s) in "Infected Clients" tab and select "Quarantine" option to move the client to quarantine list. If the infected client is already cleaned up then select "Mark as Fixed" option.
2. Once the infected client is moved to quarantine list, the default policy is applied which blocks the traffic coming from that client.
3. After moving the client to quarantine list, perform the cleanup operation on client system using SEP or equivalent tool.
4. Once the client is cleaned, select that client IP address from the "Quarantine list" and click to "remove from quarantine.

 

Incident History

After a period of time on a busy system, the Spyware Detected Database can become quite large. This can degrade the performance of the appliance, particularly the time it takes to prepare and display reports.

You may configure the Web Gateway to automatically remove old history from its database. You may configure the maximum number of days to maintain in the Web Gateway database and the maximum number of events to store in the database. If both are set to zero the archive will grow indefinitely.

Keep incident history for [ ] days  [Change]

Keep a maximum of [ ] events  [Change]

Note : This will improve the performance of the appliance, particularly the time it takes to prepare and display reports. However, this may not improve the performance of the Botnets Report.

 

How to improve the performance of botnets report

If you observe that reports are becoming sluggish, you may want to manually remove some of the older data. You should also do so if you receive a system alert that the hard disk is nearly full. Type a date in the box and click the Delete button. All data recorded on or before that date will be deleted. To start over with an empty database, enter today's date.

Delete all incidents detected on and before [mm/dd/yyyy] [Delete]

 

This particular option will purge event records from all tables including ones related to botnet report such as botnet, botnet_cc, activeBot, spam_target and spammer tables. As a result after deleting event records from these databases, the performance of loading the botnets report may be improved.

Note: Before deleting all incidents, it is recommended to create a backup using manual or scheduled custom reports and export the reports to a .csv or .html file. All event records will be deleted immediately when customer clicks on the "Delete" button.


Applies To

SWG 5.x

CIU