Capture Advanced Threat Protection Feature Overview

Description

SonicWall Capture ATP is a cloud sandbox service for detecting and blocking zero-day threats at the gateway.

SonicWall Capture ATP offers:

  • Multiple threat engines for better threat detection
  • Broad file type analysis and operation system (OS) support
  • All GAV protocols are supported
  • HTTPS is supported (requires DPI-SSL)
  • Block until Verdict option at the gateway
  • Rapid deployment of remediation signatures
  • Extensive reporting and alerts

NOTE: To utilize Capture ATP you must be running at least SonicOS Firmware version 6.2.6.x. This Firmware is only available on Generation 6 Appliances.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.




Capture Advance Threat Protection (Capture ATP) Overview:

Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).

The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:

  1. The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
  2. The SonicWall Capture ATP cloud services saves the file in its repository.
  3. SonicWall Capture ATP cloud services reads and analyzes the file.
  4. SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
  5. SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
  6. SonicWall Capture ATP cloud services sends results to the SonicWall firewall.

The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.

The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.

Image 

With Capture ATP you get the ability to securely inspect, classify, and manage the following file types

  • Executables (PE, Mach-O, and DMG)
  • PDF
  • Office 97-2003 (.doc , .xls , etc.)
  • Office (.docs , .xlsx , etc.)
  • Archives ( .jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)

 Image

 NOTE: By default none of the checkboxes for file types is selected. Required file types must be manually selected.
 

SonicWall firewall sends a file using Encrypted UDP File Transfer Protocol (UFTP)

UFTP Protocol benefits

  • Data Encryption of UDP traffic
  • Packet loss detection, correction and retransmissions
  • Can manage data duplication and unrecoverable errors


SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols

  • HTTP
  • HTTPS (requires DPI-SSL)
  • FTP
  • SMTP
  • POP
  • IMAP
  • CIFS/NetBIOS
  • TCP


SonicWall Capture ATP's file Blocking Behavior

Allows two options:

Allow all files (this is the default options)

  • The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.

Block all files until a verdict is returned

  • This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
  • This option only applies to HTTP and HTTPS file downloads.


You can also Upload files directly to SonicWall Capture Cloud Services

Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface

  1. Navigate to Policy | Capture ATP | Scanning History and click  Submit a Sample box for Submit a Sample dialog box.
  2. Browse and select a file, click the Upload button to send.

Files can also be uploaded from Home | Dashboard | Capture ATP page by clicking the Submit a Sample box.

Image

Capture ATP reports and alerts

  • Navigate to Home | Dashboard | Capture ATP.
  • Track files scanned in the last 30 days.
    Image

  • Detail list of scanned files.
  • Navigate to Policy | Capture ATP | Scanning History.
  • The following shows an example list of files scanned.
     EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.
     
    Image

  • Click on a file scanned for details:
     EXAMPLE: Clicking on a a file that was reported as malicious.

    Image


     EXAMPLE:  For a file that was not reported as malicious.
    Image


Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.




Capture Advance Threat Protection (Capture ATP) Overview:

Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).

The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:

  1. The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
  2. The SonicWall Capture ATP cloud services saves the file in its repository.
  3. SonicWall Capture ATP cloud services reads and analyzes the file.
  4. SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
  5. SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
  6. SonicWall Capture ATP cloud services sends results to the SonicWall firewall.

The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.

The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.

Image


With Capture ATP you get the ability to securely inspect, classify, and manage the following file types

  • Executables (PE, Mach-O, and DMG)
  • PDF
  • Office 97-2003 (.doc , .xls , etc.)
  • Office (.docs , .xlsx , etc.)
  • Archives ( .jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)


Image

NOTE: By default only the checkbox for Executables is selected, other file types must be manually selected.

SonicWall firewall send a files using Encrypted UDP File Transfer Protocol (UFTP)

UFTP Protocol benefits

  • Data Encryption of UDP traffic
  • Packet loss detection, correction and retransmissions
  • Can manage data duplication and unrecoverable errors


SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols

  • HTTP
  • HTTPS (requires DPI-SSL)
  • FTP
  • SMTP
  • POP
  • IMAP
  • CIFS/NetBIOS
  • TCP


SonicWall Capture ATP's file Blocking Behavior

Allows two options:

Allow all files (this is the default options)

  • The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.

Block all files until a verdict is returned

  • This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
  • This option only applies to HTTP and HTTPS file downloads.


You can also Upload files directly to SonicWall Capture Cloud Services

Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface

  1. Navigate to Monitor | Event Summaries | Capture ATP and click Upload box to Upload a file to be scanned
  2. Browse and select a file, click the Upload button to send.


Image


Capture ATP reports and alerts

  • Navigate to Monitor | Event Summaries | Capture ATP
  • Tracks files scanned in the last 30 days.
    Image
  • Detail list of scanned files.
  • The following shows an example list of files scanned.
    EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.

    Image
  • Click on a file scanned for details:
    EXAMPLE: Clicking on a a file that was reported as malicious.
    Image
    EXAMPLE: For a file that was not reported as malicious.
    Image




Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.




Capture Advance Threat Protection (Capture ATP) Overview:

Capture ATP helps SonicWall firewall identify whether a file is a virus or not by transmitting the file to the Cloud where the SonicWall Capture ATP cloud service analyzes the file to determine if it is a virus and it then sends the results to the SonicWall firewall. This process is done in real time while the file is being processed by the SonicWall firewall. Capture ATP uses the UFTP protocol to transfer the file. UFTP stand for User Datagram Protocol (UDP) File Transfer Protocol (FTP).

The Capture ATP process of a SonicWall firewall communicating with the SonicWall Capture ATP cloud service involves six major steps:

  1. The SonicWall firewall sends the file to SonicWall Capture ATP cloud services.
  2. The SonicWall Capture ATP cloud services saves the file in its repository.
  3. SonicWall Capture ATP cloud services reads and analyzes the file.
  4. SonicWall Capture ATP cloud services. stores the results in the SonicWall Capture ATP cloud services database.
  5. SonicWall Capture ATP cloud services access the SonicWall Capture ATP cloud services database.
  6. SonicWall Capture ATP cloud services sends results to the SonicWall firewall.

The firewall is located in the customer premises. The SonicWall Capture ATP cloud services and database. are located at a SonicWall facility.

The FQDN of the SonicWall Capture ATP cloud services is resolved by the SonicWall firewall periodically. This FQDN is also resolved anytime it is changed by the License Manager.

Image 

With Capture ATP you get the ability to securely inspect, classify, and manage the following file types

  • Executables (PE, Mach-O, and DMG)
  • PDF
  • Office 97-2003 file types (.doc , .xls ,...)
  • Office (.docs , .xlsx ,...)
  • Archives ( .jar, .apk, .rar, .gz, and .zip)
    Image


NOTE: By default only the checkbox for Executables is selected, other file types must be manually selected.
 

SonicWall firewall send a files using Encrypted UDP File Transfer Protocol (UFTP)

UFTP Protocol benefits

  • Data Encryption of UDP traffic
  • Packet loss detection, correction and retransmissions
  • Can manage data duplication and unrecoverable errors


SonicWall Capture ATP support all Gateway Anti-Virus (GAV) protocols

  • HTTP
  • HTTPS (requires DPI-SSL)
  • FTP
  • SMTP
  • POP
  • IMAP
  • CIFS/NetBIOS
  • TCP


SonicWall Capture ATP's file Blocking Behavior

Allows two options:

Allow all files (this is the default options)

  • The allow all files options is less secure. You will get an alert if the files has been determined to be malicious after the files has been allowed on your network.

Block all files until a verdict is returned

  • This option is more secure, but can slow down the download of some legitimate files. This option may require the users to retry the download.
  • This option only applies to HTTP and HTTPS file downloads.


You can also Upload files directly to SonicWall Capture Cloud Services

Files can be uploaded to SonicWall Capture Cloud Services via the SonicWall User Interface

  1. Navigate to Capture ATP | Status page and click  Upload box for Upload a file to be scanned dialog box.
  2. Browse and select a file, click the Upload button to send.
    Image



Capture ATP reports and alerts

  • Navigate to Capture ATP | Status.
  • Tracks files scanned in the last 30 days.
    Image

  • Detail list of scanned files.
  • The following shows an example list of files scanned.
    EXAMPLE: If the file scanned is reported as Malicious, it is highlighted in RED.
    Image 

  • Click on a file scanned for details:
    EXAMPLE: Clicking on a a file that was reported as malicious.
    Image

    EXAMPLE:  For a file that was not reported as malicious.
    Image

Related Articles

  • SonicWall UTM throws an error : " Invalid Authentication " Error: SN and EPAID Do Not Match
    Read More
  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More

Categories

Firewalls
NSa Series
Capture ATP
Firewalls
NSv Series
Capture ATP
Firewalls
TZ Series
Capture ATP
not finding your answers?
Ask the Community
was this article helpful?
YesNo