Dell SonicWALL Capture Advanced Threat Protection Beta Feature Guide

Similar documents
Dell SonicWALL Content Filtering Client on Chrome About Content Filtering Client on Chrome OS

Dell SonicWALL SonicOS 6.2

Viewing Capture ATP Status

Spotlight Management Pack for SCOM. User Guide

Dell SonicWALL Secure Mobile Access 8.5. Geo IP & Botnet Filters Feature Guide

Managing SonicWall Gateway Anti Virus Service

SonicWall Global VPN Client Getting Started Guide

July SonicWall SonicOS 6.2 Upgrade Guide

SonicWall Mobile Connect for Chrome OS

Cloud Access Manager SonicWALL Integration Overview

SonicWall Mobile Connect for Android

Cloud Access Manager How to Deploy Cloud Access Manager in a Virtual Private Cloud

SonicWall SonicOS 5.9

SonicWall Analyzer 8.4

SonicWall Analyzer 8.4

SonicWall Security 9.0.6

Dell SonicWALL Security 8.1.1

Dell SonicWALL SonicOS 5.9 Upgrade Guide

SonicWall Analyzer 8.4 SP1

SonicWall Mobile Connect ios 5.0.0

Quest Migrator for Notes to Exchange SSDM User Guide

SonicWall Directory Connector with SSO 4.1.6

Integrate Bluecoat Content Analysis. EventTracker v9.x and above

Spotlight Management Pack for SCOM. User Guide

MySonicWall Secure Upgrade Plus

One Identity Starling Two-Factor AD FS Adapter 6.0. Administrator Guide

SonicWall Content Filtering Client for Windows and Mac OS

CounterACT Check Point Threat Prevention Module

One Identity Password Manager User Guide

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Integrate Microsoft Antimalware. EventTracker v8.x and above

One Identity Starling Two-Factor Authentication. Administration Guide

Configuring Botnet Filters

Configuring Geo-IP Filters

KACE GO Mobile App 3.1. Release Notes

Dell Secure Mobile Access Connect Tunnel Service User Guide

KACE GO Mobile App 4.0. Release Notes

SonicWall Secure Mobile Access

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

KACE GO Mobile App 5.0. Getting Started Guide

Spotlight on SQL Server Enterprise Spotlight Management Pack for SCOM

SRA Virtual Appliance Getting Started Guide

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

Dell Connections License Manager Version 1.1 User s Guide

One Identity Starling Two-Factor Authentication. Administrator Guide

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

SonicWall Security 9.0.5

KACE GO Mobile App 5.0. Release Notes

Quest Code Tester for Oracle 3.1. Installation and Configuration Guide

Veeam Universal Application Item Recovery

Enabling and Activating Anti-Spam

Dell One Identity Cloud Access Manager 8.0. Overview

One Identity Starling Two-Factor HTTP Module 2.1. Administration Guide

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

Dell SonicWALL Aventail Connect Tunnel User s Guide

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Cloud Access Manager Overview

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Mission Control for the Microsoft Cloud. 5nine Cloud Security. Web Portal Version 12.o. Getting Started Guide

SonicOS Standard Release Notes SonicWALL Secure Anti-Virus Router 80 Series SonicWALL, Inc. Software Release: March 15, 2007

User Guide. Version R93. English

SecureAPlus User Guide. Version 3.4

One Identity Active Roles 7.2

Dell SonicWALL SonicOS

DPI-SSL. DPI-SSL Overview

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Integrate Viper business antivirus EventTracker Enterprise

About Dell SonicWALL Analyzer 8.2

One Identity Manager Data Archiving Administration Guide

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

One Identity Defender 5.9. Product Overview

Dell Statistica. Statistica Enterprise Server Installation Instructions

2/22/2016 UTM: How to Open FTPS traffic to a Passive mode FTP Server behind the SonicWALL (SW10094)

F-Secure Mobile Security

How to Configure ATP in the HTTP Proxy

SonicOS Enhanced Release Notes

SonicWall Secure Mobile Access

One Identity Safeguard for Privileged Sessions 5.9. Remote Desktop Protocol Scenarios

SonicWall Global Management System (GMS) 8.3 SP1

Dell DL4300 Appliance Release Notes

ESET SMART SECURITY 10

One Identity Active Roles 7.2. Replication: Best Practices and Troubleshooting Guide

Dell SonicWALL Analyzer 8.2 Virtual Appliance. Getting Started Guide

How to Configure ATP in the Firewall

Juniper Sky Advanced Threat Prevention

JUNIPER SKY ADVANCED THREAT PREVENTION

One Identity Active Roles Diagnostic Tools 1.2.0

For example, if a message is both a virus and spam, the message is categorized as a virus as virus is higher in precedence than spam.

File Reputation Filtering and File Analysis

Integrate Sophos Enterprise Console. EventTracker v8.x and above

Dell SonicWALL SonicOS

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

The Privileged Appliance and Modules (TPAM) Approver Guide

QUICK START GUIDE. Microsoft Windows 10 / 8.1 / 8 / 7 / Vista / Home Server 2011

Dell SonicWALL SonicOS

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

Dell SonicWALL WXA 1.3.1

Sophos Enterprise Console Help. Product version: 5.3

Comodo IT and Security Manager Software Version 5.4

Transcription:

Dell SonicWALL Capture Advanced Threat Protection Beta Feature Guide June 2016 Topics: Purpose Supported platforms Overview Licensing Capture ATP Configuring Capture ATP About Dell Purpose This feature guide describes how to install and configure Dell SonicWALL Capture Advanced Threat Protection (ATP). Capture ATP is a new security service offering for Dell SonicWALL firewalls. Supported platforms Dell SonicWALL Capture ATP is supported on the following Dell SonicWALL network security appliances running SonicOS 6.2.5 and higher: SuperMassive 9600 NSA 6600 TZ600 SuperMassive 9400 NSA 5600 TZ500 and TZ500 Wireless SuperMassive 9200 NSA 4600 TZ400 and TZ400 Wireless NSA 3600 NSA 2600 TZ300 and TZ300 Wireless SOHO Wireless Dell SonicWALL Capture Advanced Threat Protection 1

Overview Capture Advanced Threat Protection (ATP) is sold as an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV). Capture ATP helps a firewall identify whether a file is malicious or not by transmitting the file to the Cloud where the Capture ATP service analyzes the file. Capture ATP then sends the results to the firewall. This process is done in real time while the file is being processed by the firewall. The firewall is located at the customer premises, but the Capture ATP server and database are located at a Dell SonicWALL facility. The firewall creates a secure connection with the Capture ATP cloud service before transmitting data. Before you can enable Capture ATP you must first get a license, and you must enable the Gateway Anti-Virus (GAV) service. You can choose the settings for GAV, such as protocols to scan for files, or IPs to exclude from scanning, and they will also apply to the Capture ATP service. All files that are submitted to Capture ATP for sandbox analysis are first subjected to pre-filtering. Files can be rejected or passed based on pre-filtering. If pre-filtering determines a file to be malicious or benign, the file will not be analyzed by the Capture ATP sandboxes. If a file is not determined to be malicious or benign by the GAV service during the Capture pre-filtering process, the file is submitted to the Capture ATP sandboxes for analysis. If the file does not appear in the Capture ATP > Scanning History page, that means that the file was not analyzed in the sandboxes, but was passed or rejected based on the Capture pre-filtering process. Only files that have been analyzed by the Capture ATP sandboxes are listed on the Scanning History page. Files that are determined to be malicious are kept for 30 days and are then deleted. Other files are deleted after the analysis is complete. The Block Until Verdict option ensures that no packets get through until the file is completely analyzed and it is determined to be either malicious or benign. The file is held until the last packet is analyzed. If the file has malware, the last packet is dropped, and the file is blocked permanently. Once a file is blocked permanently, there is no way to recover it or analyze it again. Capture ATP provides a file analysis report (scanning report) with detailed threat behavior information. If the Block Until Verdict option is not enabled, the scanning report provides information necessary to respond to a threat or infection. When a file is determined to be malicious, threat intelligence is incorporated into the other Dell security services, such as GAV and Cloud Anti-Virus, so that other firewalls will benefit within 48 hours. All files are sent to the Capture ATP cloud over an encrypted connection. Dell does not keep the files. All file types, whether they are malicious or benign are removed from the Capture ATP server after they are analyzed, except for executable files that contain malware. Executable files that are determined to be malicious are sent to the Dell threat research facility for further analysis, but they are also removed after a certain time period. The Dell SonicWALL privacy policy can be accessed at: https://www.mysonicwall.com/privacypolicy.aspx Dell SonicWALL Capture Advanced Threat Protection 2

Licensing Capture ATP This section describes how to license the Capture ATP feature on your Dell SonicWALL appliances. The Capture ATP license requires that the Gateway-Antivirus (GAV) service is also licensed. You must enable Gateway-Antivirus (GAV) and Cloud Anti-Virus before you can enable Capture ATP. Currently, only Beta licenses are available for Capture ATP. Topics Activating a Beta Capture ATP license Enabling SonicOS services Disabling Gateway Anti-Virus Dell SonicWALL Capture Advanced Threat Protection 3

Activating a Beta Capture ATP license This procedure describes how to activate a Beta Capture ATP license. To activate a Beta Capture ATP license on your firewall: 1 Submit the serial number of the appliances you would like to activate by completing the survey at https://www.surveymonkey.com/r/sonicwall-beta-sonicos626. 2 After you complete the survey, you will be notified by Email when the Capture ATP license has been activated for your appliance. When Capture ATP is not licensed, the left-hand navigation panel only shows the Settings page. The other Capture ATP pages are not shown in the panel until Capture ATP is licensed and enabled. Dell SonicWALL Capture Advanced Threat Protection 4

When Capture ATP is not licensed, the Capture ATP > Settings page will display the page with the following message and instructions to go to the System > Licenses page where you can view licenses and get licenses. Dell SonicWALL Capture Advanced Threat Protection 5

Enabling SonicOS services Before you can enable Capture ATP, the SonicOS services Gateway Anti-Virus and Cloud Anti-Virus Database must be enabled. To enable the SonicOS services Gateway Anti-Virus and Cloud Anti-Virus Database: 1 On the firewall, go to the Security Services > Gateway Anti-Virus page. 2 Ensure that the checkboxes for Enable Gateway Anti-Virus and Enable Cloud Anti-Virus Database are checked. You can also choose the protocols that are used to scan for malicious files. The GAV protocol settings will apply to both GAV and Capture ATP services. You can also use GAV settings to select or define address objects to exclude from GAV and Capture ATP scanning. If a file is determined not to be malicious or benign by GAV during the pre-filtering process, the file is submitted to Capture ATP for analysis, and if Capture ATP determines that the file is malicious, it creates a detailed analysis report that can be accessed from the Capture ATP > Scanning History page. Dell SonicWALL Capture Advanced Threat Protection 6

3 (Optional) To configure the GAV protocol settings, click Configure Gateway AV Settings and select the settings you want in the Gateway AV Settings dialog. 4 (Optional) If you want to use an exclusion list to prevent certain items from being scanned, select the checkbox for Enable Gateway AV Exclusion List. a In the Use Address Object drop-down menu, select the address objects you want to add to the Gateway AV Exclusion List. 5 (Optional) To exclude any items from Cloud Anti-Virus filtering, click Configure Cloud AV DB Exclusion Settings and add the signature IDs that you want to exclude from being scanned to the Cloud AV Exclusion List. Dell SonicWALL Capture Advanced Threat Protection 7

Capture ATP will stop working if either Gateway Anti-Virus or Cloud Anti-Virus is disabled. If Gateway Anti-Virus is not enabled, the Capture ATP > Settings page will show the following message with instructions to go to the Security Services > Gateway Anti-Virus page where you can enable it. You can view the Gateway Anti-Virus Scan Settings by hovering on the small arrow in line with Enable Capture Advanced Threat Protection. Disabling Gateway Anti-Virus You can disable the Gateway Anti-Virus (GAV) service by clearing the checkbox for it on the Security Services > Gateway Anti-Virus page. If you disable Gateway Anti-Virus while Capture ATP is enabled, a popup message is displayed warning you that Capture ATP will also be disabled. Dell SonicWALL Capture Advanced Threat Protection 8

Configuring Capture ATP Topics Settings Dashboard Scanning History Submit Files Settings When Capture ATP is licensed, the Settings page shows the expiration date in the Capture ATP Status panel, and below that a checkbox to Enable Capture Advanced Threat Protection. To enable Capture ATP: 1 On the firewall, go to the Capture ATP > Settings page. 2 Select the checkbox for Enable Capture Advanced Threat Protection. 3 (Optional) If you want files that are being analyzed to be blocked until the analysis is finished, select the checkbox for Block Until Verdict. The file will be blocked until the Capture ATP analysis is finished, and the user will see a message stating that the file is blocked until the analysis is complete. When the Capture ATP analysis is finished, the file will either be passed or will be blocked permanently. If the file is malicious, it is blocked permanently, and there is no way to recover that file. If it is benign, the file is released and passed through. Dell SonicWALL Capture Advanced Threat Protection 9

4 Under File Transfer Settings, in the Maximum size of files transferred field, enter the size (in kilobytes) that you want for the maximum file size that can be transferred. You can enter any number between 0 and the maximum size that is set by the License Manager. The maximum size that is set by the License Manager can be viewed on the Submit Files page. Entering a zero (0) indicates that the file size is unlimited, but is not recommended. 5 Click Accept. If Capture ATP is not enabled, the Capture ATP UI pages, Dashboard, Scanning History, and Submit Files will not be visible, but will display a message with instructions to go to the Capture ATP > Settings page where you can enable it. Dell SonicWALL Capture Advanced Threat Protection 10

Dashboard To view the results of the Capture ATP analysis: 1 Go to the Capture ATP > Dashboard page. The Advanced Threat Protection Dashboard page appears. The Dashboard displays the following charts: Total Requests in Previous 30 days This pie chart shows the total number of requests analyzed in the past 30 days, and what percentage of those files are Benign, Malicious, or Duplicated-Files. Total File Analysis Results in Previous 30 days This pie chart shows the total number of files analyzed in the past 30 days, and what percentage of those files are Static Benign, Static Malicious, Dynamic Benign, Dynamic Malicious, or Dynamic Failure. Daily Requests for Previous 30 days This graph chart shows the number of files analyzed each day over the past 30 days, and whether they are Benign, Malicious, or Duplicated-Files. Daily Analysis Results in Previous 30 days This graph chart shows the number of files analyzed each day over the past 30 days, and whether they are Static Benign, Static Malicious, Dynamic Benign, Dynamic Malicious, or Dynamic Failure. Dell SonicWALL Capture Advanced Threat Protection 11

Scanning History To view the Scanning History: 1 Go to the Capture ATP > Scanning History page. A list of all the files that have been scanned and analyzed is displayed. At the bottom of this page, you can search for specific strings, and this page will list only items that contain those strings. 2 To view the detailed results of a file, click on the plus sign for that file. The details of the analysis results for that file are displayed. The columns for the Scanning History page are as follows: Result: The results of the analysis for this file, Benign or Malicious. Serial Number: The serial number of the firewall to which the file was sent. From IP: The IP address from which the file was sent. To IP: The IP address to which the file was sent. Submit Time: The time that the file was submitted for analysis. File Type: The type of file that was analyzed, such as an executable file or a zip file. File Size: The size of the file that was analyzed. Status: The current status (success or failure) of the file that was analyzed. Dell SonicWALL Capture Advanced Threat Protection 12

From the detailed results view, you can click on scanning report to launch the scanning report for that file. Dell SonicWALL Capture Advanced Threat Protection 13

Submit Files The Submit Files page enables you to browse for files and submit them for analysis. You can set the maximum file size that can be submitted on the Capture ATP > Settings page, under File Transfer Settings, in the Maximum size of files transferred field. You can enter any number between 0 and the maximum size that is set by the License Manager. The maximum size that is set by the License Manager can be viewed on the Submit Files page. Entering a zero (0) indicates that the file size is unlimited, but is not recommended. To submit a file to Capture ATP for analysis: 1 Go to the Capture ATP > Submit Files page. 2 Click Browse and navigate to the file you want to submit. 3 Click Upload. 4 Follow the prompts. 5 Verify that the file appears on the Scanning History page. Dell SonicWALL Capture Advanced Threat Protection 14

About Dell Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit http://www.software.dell.com. Contacting Dell For sales or other inquiries, visit http://software.dell.com/company/contact-us.aspx or call 1-949-754-8000. Technical support resources Technical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions. To access the Support Portal, go to http://support.software.dell.com. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the Support Portal provides direct access to product support engineers through an online Service Request system. The Support Portal enables you to: Create, update, and manage Service Requests (cases) View Knowledge Base articles Obtain product notifications Download software. For trial software, go to http://software.dell.com/trials. View how-to videos Engage in community discussions Chat with a support engineer NOTE: Please DO NOT CONTACT SUPPORT about Beta software/firmware. For product functionality feedback and questions for Beta releases, send Email to sandboxbeta@sonicwall.com. Dell SonicWALL Capture Advanced Threat Protection 15

Copyright 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell, the Dell logo, and SonicWALL are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Patents For more information about applicable patents, go to http://software.dell.com/legal/patents.aspx. Legend CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Last updated: 6/13/2016 Beta Rev 05 Dell SonicWALL Capture Advanced Threat Protection 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback