June 25, 2015

How To Stop McAfee Web Gateway Updates From Filling Your MPLS Link

This story begins with SevOne, our in-house network performance monitoring system. We have a policy configured in SevOne to alert us when a router serial interface is at or above 95%, meaning the Sprint MPLS WAN link for that location is nearly if not fully consumed. Obviously this is a bad thing as it severely impacts user experience with any applications that ride over this MPLS link.

A few weeks ago I was perusing the Alerts screen in SevOne and noticed one of our locations triggered this policy. I loaded up an IN/OUT octet graph, and sure enough, their MPLS link was pegged at 100%. So, I loaded up a FlowFalcon (NetFlow) report to find out who the guilty party was and to my surprise, the two top talkers were the local McAfee Web Gateway virtual web filtering appliance, and another remote location McAfee Web Gateway virtual appliance.

I suspected an update process was running, but I couldn’t figure out why it would be happening over the MPLS link instead of the local internet connection. So, after some investigation, including typing various search terms like “McAfee Web Gateway update high bandwidth” (or something like that) I found “Best Practices: Central Management in Web Gateway 7.x.”

All of our Web Gateway appliances are part of a cluster. Since we only have one Web Gateway at each location, each appliance should download updates using the local internet connection. But, a simple setting was overlooked when these appliances were configured that allowed appliances to receive updates from other appliances. By default, “Allow to download updates from other nodes” is enabled.

To change this setting, login to the web-based administration console for your Web Gateway cluster (you should be able to login to any Web Gateway to administer the cluster as it utilizes a “master-less” cluster philosophy). Typically the address is something like this:


Once logged in, click on the Configuration button at the top, and expand the “Appliances” branch within the Appliances tab.

Expand an appliance, and then click on “Central Management,” and scroll down to the “Automatic Engine Updates” section. There are three settings here, and they are ALL checked by default.

  • Enable automatic updates
  • Allow to download updates from internet
  • Allow to download updates from other nodes

It’s that last setting we want to uncheck to disable. Now, this appliance will get updates only via the internet. You have to expand each appliance and uncheck this box, assuming you want to disable this on all your appliances. When you are done, remember to click the “Save Changes” button on the top right.

Please share your thoughts