@TP_Master CZPR-FW1 and CZPR-FW2 are actually in cluster.
This was maybe confusing example.
I would like to give single gateway and single user example.
Please correct me if Im wrong in the following statement.
Malware which is active on user computer is allowed to talk to C&C site (because classification in the background) every day even:
- if gateway was not rebooted
- policy was not installed (which SK describes cache flush with policy push?)
Have no clue how to investigate if the cache was filled or not.
is there any particular reason why the cache lasts only 12-24 Hours?
