Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 6474 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Save Live Protection bandwidth by using SWA

lferrara

Dear Community,

I would like to ask if the SWA can cache SXL requests for internal Sophos SEC Endpoint Client in some way. At the moment, without implementing SWA, all SEC clients send request to Sophos Cloud for the Live protection module and this consumes a lot of internet bandwitdh.

Regards



This thread was automatically locked due to age.

  • Hi Lferrara,

    Normally if you run a SWA on site you would not want to have internal clients in full web control.  Here is a KB I did up in regards to deployment modes..  https://community.sophos.com/kb/en-us/126692

     

    I would configure all the onsite stuff with a transparent redirection and then build an off site policy for your full web control policy.

    In short the appliance is the most feature rich web device, so I would want to ensure it scans as much traffic as possible (just exclude servers and make sure you arent sending internal requests to the appliance they should go direct)

  • in reply to Red_Warrior

    Thanks  for the tips but you did not answer the question. The point is: I want to reduce SXL traffic from Sophos Endpoint (SEC) to the Internet because since 5.4, SXL cannot be disabled aymore (only using regedit). The bandwidth on this customer is very small and I was thinking to full redirect http/s traffic and live protection traffic from Internet to SWA in order to save bandwitch and reduce the SXL traffic.

  • in reply to lferrara

    Hi Luk,

    If the EP client is caching the SXL requests...  then there would be NO difference in the number of requests.  However if the EP client is NOT caching moving it out of FWC may reduce the overall number of SXL lookups as the appliance does cache them for a period.

    Another option would be to enable caching on the appliance... I'm really not a big fan of this option as it will unnecessarily fragment the file system with thousands of small files..   again this would require pulling the client out of FWC..

    EP clients will tag their traffic with an EP=1.. even if you send that traffic to the appliance .. it will not scan traffic that has already been processed by endpoint. so dropping the client out of full web control will force the appliance to scan the traffic.

    I would also recommend ensuring https scanning is enabled on the appliance and its cert is pushed out to the clients to gain the maximum level of scanning. 

Unfiltered HTML