How CylanceGATEWAY routes data
When your users try to access destinations on the private network or any public Internet destination, they are only able to access them if they are explicitly allowed to by the access control list (ACL) rules. Each network access attempt is evaluated against the ACL rules and specified network protection settings that are configured for your environment. If an ACL rule blocks a destination,
CylanceGATEWAYblocks the connection and doesn't route the traffic. If an ACL rule allows users to access the private network or a public Internet destination, the connection is re-evaluated every five minutes and the ACL rules are reapplied. If a user's risk level has changed or the destination reputation has been updated since the access attempt was established, the connection might be disconnected. When an ACL rule allows users to access a destination, the connection might be subsequently blocked or alerted on based on identified anomalies and the risk level that is set for the network protection settings.
- If a user's upload or download volume has changed, CylanceGATEWAY alerts of the unusual traffic pattern, but does not block the user's traffic.
- If the user tries to access a destination that is on BlackBerry's list of unsafe Internet destinations or newly identified as malicious, and your network protection risk threshold is set to high, the user's access will be blocked.
CylanceGATEWAYis active on a device,
CylanceGATEWAYroutes network traffic in the following ways.
Allowed destination on the private network
Users can access destinations on your private network only if they are explicitly allowed by the access control list (ACL) rules. ACL rules evaluate each network access attempt, and if a rule matches will allow access to the private network.
All data between the device and your private network is encrypted using industry-leading tunnel technology and routed through secure tunnels from the
CylancePROTECT Mobileapp or
CylanceGATEWAYagent to the
BlackBerry Infrastructureand then from the
BlackBerry Infrastructureto the
CylanceGATEWAY Connectorinstalled behind your firewall.
Allowed Internet destination
Users can connect to any public Internet destination only if they are explicitly allowed by your ACL rules. ACL rules evaluate each network access attempt, and if a rule matches will allow access to the destination.
Connections to public Internet destinations are routed through the secure tunnel between the
CylancePROTECT Mobileapp or
CylanceGATEWAYAgent and the
BlackBerry Infrastructureand then
CylanceGATEWAYroutes the traffic to the destination.
If you enable split tunneling, traffic to safe Internet destinations is routed directly to the destination rather than through the tunnel to
CylanceGATEWAY. For example, you can choose to reduce the traffic sent through
CylanceGATEWAYby allowing traffic to safe public sites to route directly to the destination.
Allowed SaaS app
By default, connections to SaaS apps are routed in the same way as connections to other Internet destinations.
If you enable source IP pinning, you can configure your SaaS app tenant to only accept connections from your organization's own IP addresses and
Blocked destination on the private network
Users can access destinations on your private network only if they are explicitly allowed by the ACL rules. If the destination is not allowed,
CylanceGATEWAYblocks the connection and doesn't route the traffic to the
CylanceGATEWAY Connector. When users attempt to access a destination and it is blocked by an ACL rule, the attempt and reason is displayed on the Warning screen in the user's CylanceGATEWAY agent.
Blocked Internet destination
If a destination is explicitly blocked by your ACL rules or determined by
BlackBerryto be a potentially malicious destination,
CylanceGATEWAYwill block the connection. When users attempt to access a destination and it is blocked by an ACL rule, the attempt and reason is displayed on the Warning screen in the user's