How CylanceGATEWAY routes data Skip Navigation

How
CylanceGATEWAY
routes data

When your users try to access destinations on the private network or any public Internet destination, they are only able to access them if they are explicitly allowed to by the access control list (ACL) rules. Each network access attempt is evaluated against the ACL rules and specified network protection settings that are configured for your environment. If an ACL rule blocks a destination,
CylanceGATEWAY
blocks the connection and doesn't route the traffic. If an ACL rule allows users to access the private network or a public Internet destination, the connection is re-evaluated every five minutes and the ACL rules are reapplied. If a user's risk level has changed or the destination reputation has been updated since the access attempt was established, the connection might be disconnected. When an ACL rule allows users to access a destination, the connection might be subsequently blocked or alerted on based on identified anomalies and the risk level that is set for the network protection settings.
  • If a user's upload or download volume has changed, CylanceGATEWAY alerts of the unusual traffic pattern, but does not block the user's traffic.
  • If the user tries to access a destination that is on BlackBerry's list of unsafe Internet destinations or newly identified as malicious, and your network protection risk threshold is set to high, the user's access will be blocked. 
When
CylanceGATEWAY
is active on a device,
CylanceGATEWAY
routes network traffic in the following ways.
Destination
Action
Allowed destination on the private network
Users can access destinations on your private network only if they are explicitly allowed by the access control list (ACL) rules. ACL rules evaluate each network access attempt, and if a rule matches will allow access to the private network.
All data between the device and your private network is encrypted using industry-leading tunnel technology and routed through secure tunnels from the
CylancePROTECT Mobile
app or
CylanceGATEWAY
agent to the
BlackBerry Infrastructure
and then from the
BlackBerry Infrastructure
to the
CylanceGATEWAY Connector
installed behind your firewall.
Allowed Internet destination
Users can connect to any public Internet destination only if they are explicitly allowed by your ACL rules. ACL rules evaluate each network access attempt, and if a rule matches will allow access to the destination.
Connections to public Internet destinations are routed through the secure tunnel between the
CylancePROTECT Mobile
app or
CylanceGATEWAY
Agent and the
BlackBerry Infrastructure
and then
CylanceGATEWAY
routes the traffic to the destination.
If you enable split tunneling, traffic to safe Internet destinations is routed directly to the destination rather than through the tunnel to
CylanceGATEWAY
. For example, you can choose to reduce the traffic sent through
CylanceGATEWAY
by allowing traffic to safe public sites to route directly to the destination.
Allowed SaaS app
By default, connections to SaaS apps are routed in the same way as connections to other Internet destinations.
If you enable source IP pinning, you can configure your SaaS app tenant to only accept connections from your organization's own IP addresses and
CylanceGATEWAY
.
Blocked destination on the private network
Users can access destinations on your private network only if they are explicitly allowed by the ACL rules. If the destination is not allowed,
CylanceGATEWAY
blocks the connection and doesn't route the traffic to the
CylanceGATEWAY Connector
. When users attempt to access a destination and it is blocked by an ACL rule, the attempt and reason is displayed on the Warning screen in the user's CylanceGATEWAY agent.
Blocked Internet destination
If a destination is explicitly blocked by your ACL rules or determined by
BlackBerry
to be a potentially malicious destination,
CylanceGATEWAY
will block the connection. When users attempt to access a destination and it is blocked by an ACL rule, the attempt and reason is displayed on the Warning screen in the user's
CylanceGATEWAY
agent.