Hello, Mates
I have a problem with Threat Prevention.
I have a VSX cluster with several VSs.
One of my VSs has the TP layer (AV/AB/IPS) enabled, the VS does not have HTTPS Inspection enabled, and it is working with a default rule in the TP layer with the “Optimized” profile.
The problem is that there are many logs with “Detect” action even though the profile detail is in PREVENT mode.
The logs invite us to review SK74120, but the problem arises when we apply the SK, because when we change the DNS “behavior” to HOLD mode following the SK instructions, we affect many other services, such as sending/receiving emails that pass through this VS.
The TAC is investigating the possible root cause of this problem, since the goal is for this traffic to be prevented and not just labeled as DETECT.
In VSX environments, how does traffic flow inspection work? Does traffic that crosses through a VS that has Internet access and has the TP layer enabled always have to pass through the VS0 as well, and only then is this traffic sent to ThreatCloud for review?
Thank you for your opinions.