Hi Team,
On our BigFix server one file is frequently downloading from internet for every 5 minutes and it’s creating more traffic and consuming more disk space.
May i know what could be the reason?and how to troubleshoot to don’t download this file from internet to BigFix Server?
Thanks in advance…
Any action sent to any client that requires a download, will download the file from the Internet. Normally that would be stored in the server’s cache. Perhaps you have the server cache set too low? Describing what the file is would help.
I just confirm that We have enough cache size in GB’s.
below is the file which is downloading for every 5 minutes.
http://sync.bigfix.com/bfsites/webui-common_41/common-app-linux.zip
This isn’t a download, this is a gather. Do you have an IPS? If so can you whitelist sync.bigfix.com from your IPS?
Try running this against your root server:
This will tell your root server to gather over HTTPS which could solve some problems where a download is failing due to proxy or IPS.
You may need to restart the root server process or reboot for the setting to take effect. (I’m not certain)
As long as this setting doesn’t somehow cause more problems, which it shouldn’t, it is a good idea to do anyway.
All the -linux.zip files in the WebUI sites don’t play nicely with a lot of the AV products, esp some of the ones found in filtering proxies. What we have been able to determine is either the AV is unable to complete the scan in a fast enough manner, it is hitting a maximum path length exceeded, or a local installed AV product is holding the file (since it’s scanning it) after it was downloaded long enough to impact the root servers ability to move it to the correct final folder so it just assumes the download was bad and re-attempts.
There is a good chance if your AV product has path name limitations that it will be hitting that limit. There are longer than 255 character paths (which all OS’s can handle but some applications cannot) in the WebUI.
Generally having AV running within the BES directories is problematic and can cause issues if AV interferes with something like you are seeing.
And no its not the DownloadWhiteList. An IPS is an Intrusion Prevention System ( see https://en.wikipedia.org/wiki/Intrusion_detection_system ) which many companies have on their internet connections.
Fully agree but in this case, the issue is more broad. The AV can exist at the network layer and cause the filtration of all content flowing from the Internet and in these cases, the AV products are usually tuned for high-throughput so they put tighter coding constraints on things like path string lengths as well as just simply being build upon legacy code bases that haven’t had a huge demand for long path name support.
Also, since the gathering/propagation process could utilize other directories (like AppData, Windows temp, etc), any one of those could also trigger the scan even with the recommended directory exclusions in place.
Due to all of this, and with security policies overarching many of components involved, you may have to manually AirGap the webui-common (and/or other webui-* sites). Not ideal but since the sites don’t update all that frequently (yes I know I just wrote that after several site updates being pushed over the past few days) it’s not prohibitively difficult to do in most cases.
The BESRelay.log or GatherDB.log file will typically contain an error message containing the exact filename of the file within the overall download that the IPS or security proxy does not like and that gets rejected.
Related article:
BigFix Server unable to gather site content from sync.bigfix.com (error: Unexpected HTTP response: 404)
