- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- What is the best practices policy for Threat Preve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the best practices policy for Threat Prevention?
What is the best practices policy for Threat Prevention when you have Threat Prevention policies on the network level as well as you have Endpoint Threat Prevention. To add to the equation on some Endpoints the SBA is installed and on some others is not installed.
It is noticed the following behaviour:
a) Threat prevention actions are done twice or more for the same files
b) Network Threat Prevention and SBA are fighting for the same file (End users experience failed download attempts)
c) Files are not inspected
Based on the above scenarios can you suggest a best practice configuration when you have Network Threat Prevention, SBA on some devices and devices with no SBA.
Thanks,
Charris Lappas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Charris,
So ususally you would have Threat Prevention enabled on the network also in case you cannot distinguish between SBA installed clients and non-SBA installed.
Depending on the architecture it will not lead to double emulation if the network gateway and SBA share the same emulation location (because of the cache of the emulator). Also Threat Extraction will not be done twice because an already extracted file does not have an active content anymore to be extracted again (for this to be 100% true the TX settings for network and SBA should match). There should also be no "fighting" between network gateway and SBA for files because the processing is sequential.
If you have unexpected behaviors like the one you describe please open a case at our support.
Regards Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Thomas,
Thanks for replying, you are absolutely right it should not be happening the above, but it is! That is why I'm looking for some configuration examples.
Thanks,
Charris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Charris,
the expected configuration in this case is doing TE/TX on both layers (gw and endpoint).
You could test SBA´s behavior when setting TE on the GW in background mode just for troubleshooting purpose.
But as I said I would open a case at support to have them look into it.
Regards Thomas
