cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

What is the best practices policy for Threat Prevention?

What is the best practices policy for Threat Prevention when you have Threat Prevention policies on the network level as well as you have Endpoint Threat Prevention. To add to the equation on some Endpoints the SBA is installed and on some others is not installed. 

It is noticed the following behaviour:

a) Threat prevention actions are done twice or more for the same files

b) Network Threat Prevention and SBA are fighting for the same file (End users experience failed download attempts)

c) Files are not inspected

Based on the above scenarios can you suggest a best practice configuration when you have Network Threat Prevention, SBA on some devices and devices with no SBA.

Thanks,

Charris Lappas

3 Replies
Employee++
Employee++

Re: What is the best practices policy for Threat Prevention?

Hi Charris,

So ususally you would have Threat Prevention enabled on the network also in case you cannot distinguish between SBA installed clients and non-SBA installed.


Depending on the architecture it will not lead to double emulation if the network gateway and SBA share the same emulation location (because of the cache of the emulator). Also Threat Extraction will not be done twice because an already extracted file does not have an active content anymore to be extracted again (for this to be 100% true the TX settings for network and SBA should match). There should also be no "fighting" between network gateway and SBA for files because the processing is sequential.

If you have unexpected behaviors like the one you describe please open a case at our support.

Regards Thomas

0 Kudos

Re: What is the best practices policy for Threat Prevention?

Hi Thomas,

Thanks for replying, you are absolutely right it should not be happening the above, but it is! That is why I'm looking for some configuration examples.

Thanks,

Charris

0 Kudos
Employee++
Employee++

Re: What is the best practices policy for Threat Prevention?

Hi Charris,

the expected configuration in this case is doing TE/TX on both layers (gw and endpoint).

You could test SBA´s behavior when setting TE on the GW in background mode just for troubleshooting purpose.

But as I said I would open a case at support to have them look into it.

Regards Thomas