What is best practice for a new Symantec Web Gateway deployment?
Before deploying SWG some steps are required in order to make the new environment appropriate for the product to perform and function correctly.
In this document we outline some pre-deployment and post-deployment steps the administrator should take to get the most from SWG.
This document does not intend to replace the documentation that comes with SWG. The following manuals in pdf format are the main source of information for SWG implementation and configuration:
Read the documentation provided with the product
Knowledge is power, and this is no exception. The documentation provided with the product in pdf format and the internet are excellent resources to build and strengthen your knowledge. The accompanying documentation explains in detail how to configure and tune the product for best results.
The SWG appliance was designed to protect the network from Web 2.0 threats such as malicious URLs, spyware, botnets, viruses and other types of malware. The manner in which you connect the SWG to the network affects its capabilities. Read the SWG Implementation Guide for more information on this topic.
A fully working network environment is key to succeed in deploying the SWG. Ideally all hosts that will interact with the SWG must be reachable from the SWG assigned IP addresses.
The fact that the SWG is able to report an internal source address into the reporting section of the GUI doesn't mean that host can be properly reached back if necessary as NAT or firewall rules may affect this traffic.
Make sure the network topology is reflected on the network section of the SWG configuration section and that all the static routes with the corresponding gateways have been entered as part of the configuration.
Hosts that could potentially have traffic blocked by SWG should be reachable by using the SWG testing tools such as ping and traceroute.
Required ports and URLs
Make sure all the required ports as listed on the Implementation Guide are allowed by local networking devices and that the SWG can reach the required URLs to transmit and receive information from the internet.
The mechanism used by SWG to block access to URLs when in blocking mode involves TCP session hijacking. This means that any device that prevents such thing on the ports SWG attaches to or, into the SWG traffic stream will also prevent SWG from working properly.
SWG functionality relies on proper and fast DNS resolution. The configured DNS servers should be within the same internal network topology and must be able to resolve local and non-local hostnames in an efficient way. SWG Interfaces that are enabled (may vary depending on the mode) should have corresponding A and PTR records on the DNS server.
If a proxy will be implemented as part of the solution, SWG's own proxy is strongly suggested.
When an external proxy is used to connect to the internet instead, it should be placed upstream of the SWG. The appliance must be properly configured to analyze that traffic and the proxy must not block any of the required ports and URLs.
Downstream web proxies will hide the source of the connections as all the traffic will be seen as coming from the proxy. Check Symantec Web Gateway (SWG) considerations and behavior when an external proxy is used
As of version 5.0.2, SWG has no built-in HA (High Availability) or Load Balancing feature.
It can rely on 3rd party Link Aggregation or Etherchannel load balancers.
To load balance SWG in inline mode, each host must function independently as a transparent bridge (OSI layer 2) with some requirements and caveats:
Starting version 4.5.3, SWG supports VLAN traffic and can be deployed into a trunk port. For more details on VLAN settings, click the "Help" button available on the web interface inside the network configuration section of SWG.
Given the amount of variables and complexity involved into determining the requirements, the following numbers should be used only as a guideline.
|Target Customer size||<1,000||1,000 to 10,000||<700|
SWG basic configuration checks
The basic configuration will allow the administrator to confirm the SWG has been properly deployed by using some test features and monitoring tools. Some checks to be completed after the basic configuration has been finished are:
For SWG in Inline-only Mode:
For SWG in Inline Mode and Inline + Proxy Mode:
For SWG in Proxy-only Mode and Inline + Proxy Mode:
For more information on Proxy mode check Symantec Web Gateway (SWG) - Best Practices: Proxy Mode
For SWG in Port Span / Tap mode: