How CylanceGATEWAY sends data using Work Mode
CylanceGATEWAY
sends data using Work ModeWhen your users try to access destinations on the private network or any public Internet destination, they are only able to access them if they are explicitly allowed to by the access control list (ACL) rules. Each network access attempt is evaluated against the ACL rules and specified network protection settings that are configured for your environment. If an ACL rule blocks a destination,
CylanceGATEWAY
blocks the connection and doesn't route the traffic. If an ACL rule allows users to access the private network or a public Internet destination, the connection is re-evaluated every five minutes and the ACL rules are reapplied. If a user's risk level has changed or the destination reputation has been updated since the access attempt was established, the connection might be disconnected. When an ACL rule allows users to access a destination, the connection might be subsequently blocked or alerted on based on identified anomalies and the risk level that is set for the network protection settings.
- If a user's upload or download volume has changed,CylanceGATEWAYalerts of the unusual traffic pattern, but does not block the user's traffic.
- If the user tries to access a destination that is onBlackBerry's list of unsafe Internet destinations or newly identified as malicious, and your network protection risk threshold is set to high, the user's access will be blocked.
When
CylanceGATEWAY
is active on a device, CylanceGATEWAY
routes network traffic in the following ways.Destination | Action |
|---|---|
Allowed destination on the private network | Users can access destinations on your private network only if they are explicitly allowed by the access control list (ACL) rules. ACL rules evaluate each network access attempt, and if a rule matches will allow access to the private network. All data between the device and your private network is encrypted using industry-leading tunnel technology and routed through secure tunnels from the CylancePROTECT Mobile app or CylanceGATEWAY agent to the BlackBerry Infrastructure and then from the BlackBerry Infrastructure to the CylanceGATEWAY Connector installed behind your firewall. |
Allowed Internet destination | Users can connect to any public Internet destination only if they are explicitly allowed by your ACL rules. ACL rules evaluate each network access attempt, and if a rule matches will allow access to the destination. Connections to public Internet destinations are routed through the secure tunnel between the CylancePROTECT Mobile app or CylanceGATEWAY Agent and the BlackBerry Infrastructure and then CylanceGATEWAY routes the traffic to the destination.If you enable split tunneling, traffic to safe Internet destinations is routed directly to the destination rather than through the tunnel to CylanceGATEWAY . For example, you can choose to reduce the traffic sent through CylanceGATEWAY by allowing traffic to safe public sites to route directly to the destination. |
Allowed SaaS app | By default, connections to SaaS apps are routed in the same way as connections to other Internet destinations. If you enable source IP pinning, you can configure your SaaS app tenant to only accept connections from your organization's own IP addresses and CylanceGATEWAY . |
Blocked destination on the private network | Users can access destinations on your private network only if they are explicitly allowed by the ACL rules. If the destination is not allowed, CylanceGATEWAY blocks the connection and doesn't route the traffic to the CylanceGATEWAY Connector . When users attempt to access a destination and it is blocked by an ACL rule, the attempt and reason is displayed on the Warning screen in the user's CylanceGATEWAY agent. |
Blocked Internet destination | If a destination is explicitly blocked by your ACL rules or determined by BlackBerry to be a potentially malicious destination, CylanceGATEWAY will block the connection. When users attempt to access a destination and it is blocked by an ACL rule, the attempt and reason is displayed on the Warning screen in the user's CylanceGATEWAY agent. |