Hi Team
Situation:
I had a case with an ATP appliance that was difficult for network troubleshooting (lack of evidence )
Customer is using TAP Mode but ATP showed wrong network information, specifically External traffic presented as Internal.
ATP was configured with all the Internal networks from the customer.
As a troubleshooting we tried to use 'tcpdump' but this command's output cannot be re-direct to output of our choice. Even if it's possible to create a file and save the output internally the issue is that I wouldn't be able to then grab that data or read it afterward. This requires Symantec Support to log on and transfer it off.
Two weeks with a TechSupport case , a few Webex sessions , lots of screen captures and no one gave us a solution (even with bsupport logs transfered to Sym).
Finally with a Linux computer connected to the SPAN port we collected (traffic capture) enough evidence to let the network admin know that the Switch configuration was wrong: they spanned the external (dirty) WAN and not moved the Span inside.
Idea for Product Improvement:
-Give us the option to capture traffic for at least 30 seconds and download to our computer-
A legacy product from the same family called Symantec Web Gateway lets us capture traffic on the network.To do that on SWG, we must enable the traffic capture process and when it was finish just to disable and download it to our computer.
Probably this information is available to Symantec by manually running "gather_logs" on the Appliance's CLI but the idea is save time and resources from Symantec, Partners and customers to have a faster solution.
Of course, there's a performance implication on this so Symantec must let customers and partners now that the feature must be used just for a few seconds/minutes.
Thanks