SonicWall SMA 100 series: Capture ATP Integration

03/26/2020 6 People found this article helpful 471,837 Views

Description

SonicWall Capture Advanced Threat Protection(Capture ATP) service is a cloud-based multi-engine sandbox designed to discover and stop unknown, zero-day attacks such as Ransomware at the gateway with automated remediation. SMA 9.0 integrates SonicWall Capture ATP service to analyze the files uploaded through HTML5 File Shares (CIFS) before sending it to backend server.

Capture ATP is supported only on:

SMA 200
SMA 400
SMA 500v

NOTE: Capture ATP is license based service. On MySonicWall, while activating license or trial version, you may be asked to select the Data center. You can choose the nearest Data center to your region and click Submit.

Resolution

Overview:

The SonicWall Capture ATP service is available only from firmware 9.0.0.0-9sv and above. This service is applicable only for HTML5 File Shares (CIFS) bookmarks. This service helps to identify whether a file is malicious or not by transmitting the file to the Cloud real time where the Capture ATP cloud service analyzes the file to determine if it is malicious and it then sends the verdict to the SMA.

File Types: With Capture ATP, we can securely inspect the following file types:

Executables (PE, Mach-O and DMG)
PDF
Office 97-2003 (.doc, .xls, ...)
Office (.docx, .xlsx, ...)
Archives (.jar, .apk, .rar, .gz and .zip)

If a file type is not selected in the above list, it is not sent to the Capture ATP service for analysis.

File Size: We can send upto 10 megabytes of files to Capture ATP cloud for analysis. If the file size is lesser than configured value, the file is sent to Capture ATP cloud for analysis. If the file size is greater and if "Don't send the file to backed server if the file size exceed the size limitation" option is enabled, then the file is not sent to the backend server.

If the file size is greater and the option is disabled, then the file is sent to backend server.

File Blocking: Files will be blocked when Capture ATP cloud detects it as infected / malicious files. If there is a communication failure with Capture ATP service, we may choose to block upload of all files to be more secure.

Configuration:

We can enable / modify Capture ATP settings in three levels: Per user, Per group and Global. In this article, we will see how to configure Capture ATP at Global level (applies to all users by default).

1. Navigate to Users - Local Users - Edit Global Policies.

Go to Capture tab and set Enable Capture ATP service: Enabled. Configure File Type, File Size and custom blocking behavior as per your requirement.

NOTE: We can also enable Capture ATP from Capture ATP - Settings page, which is the same page with capture settings at global level.

The above global level settings are applied for every group if the Capture ATP for the individual groups is set to "Use Global Setting". In the same way, we can configure Capture ATP by editing any group / any user.

While adding a new user or group, the global Capture ATP setting is selected by default, this can be modified later.

How to test:

Once configured, login to portal and access HTML5 File share (CIFS) bookmark, try to upload a file.