Hello,

I have a legacy architecture, and I found the option of "Activation Mode" in my Cluster object, selected in "Detect only" mode, but at the same time, I have explicit rules configured in the Threat Prevention, but I see that the Cluster, is not "obeying" the explicit rules that are configured in PREVENT mode, but it is allowing the traffic, since the logs, show the action of "DETECT".

I get the impression that the Activation Mode has priority over the explicit rules.

Is this correct?

Buddy

I understand your explanation, but what I want to confirm is,
As my Cluster is now, in the configuration "Activation Mode -> Detect Only", even if we create several explicit rules in the Threat Prevention, these are not going to "work" correctly, until I change the "Activation Mode" to "According to Policy", right?

Thanks.

Help me to understand your confusion, what type of policy have you configured that you are expecting to perform differently than described above?

I have a certain type of traffic that is being "allowed" and really, it shouldn't be allowed.

So here comes my confusion.
Since the log indicates that it is doing MATCH with my explicit rule in the Threat Prevention.

Or maybe I'm misunderstanding the flow?

Buddy, look at the log. It clearly shows its in DETECT state, which totally make sense, since in gateway properties, you also have it set to same, so in reality, EVERY threat prevention log you see will be literally the same action.

Andy

Sure, it makes sense, but in this traffic, for example, the "Confindence Level" is "High" and according to the Profile of my policy, the action is "PREVENT", but still, the traffic is "allowed" ...

So, I understand that this is because of "how" the GW is currently configured in its global properties, right?

EXACTLY! 🙂

So makes no difference if action is drop, prevent, discard, throw away (just making that up lol), but you get the idea...so regardless of action value, as long as gateway properties option says detect, thats all that matters.

Makes sense?

Andy

Btw, on slightly unrelated note, did that email I sent you for Azure vpn config help? 🙂

Andy

The settings on the gateway will take precedence over what you define in the Threat Prevention Policy. This is the point of having this option in the first place. By overriding the gateway object with "Detect only", you are overriding the policy. You are telling this specific gateway that regardless of what is being defined in the Threat Prevention Policy, always run Anti-Bot and Anti-Virus in Detect mode. You can do the same with the IPS blade under IPS settings on the gateway.

You would typically share Threat Prevention Policies across multiple gateways. In case of issues, these options exist on a per gateway level to provide an easy way for you to enforce specific gateways to detect only various blades without having to fiddle with the Threat Prevention Policy that might be in use in multiple places where you don't want to enforce detect only.

Hello,

Your explanation was very clear.

However, I have some confusion.

If the priority is the global way how the "Activation Mode" is configured from the object of my ClusterXL, why in the following records that I share (attached), it is "blocking" the traffic to the domains (Prevent) by the blade of "AntiVirus"?

It is supposed that this traffic to the destinations of the attached file, "should" be allowed according to how the ClusterXL object is globally configured, however, I understand that for this traffic, it is being blocked, having more "priority" the explicit rule of "Threat Prevention".

Greetings.

Bro, there are different tabs for those things for AV/AB and IPS as you can also see from the fw object.

Cheers,

Andy

Note in the description field of the log: "generated by custom intelligence feed"

With the Activation mode set as it is, do you see these entries only aligned to observables / IOC feeds added manually ?

I don't want to distract from the core issue but there are several factors that could apply for the example given:

1. Gateway activation mode (primary cause)

2. Active Protections 'Performance Impact' rating (set too low)

3. DNS traffic (background by default)

Correct.

As Chris asked buddy, can you help us understand exactly what the ultimate goal here is? Essentially, if you wish certain threat prevention policy to take effect, just make sure right profile is selected and then choose option according to policy under av/ab tab.

Makes sense?

Andy