Skip Navigation

Key features of
CylanceGATEWAY

Feature
Description
Work Mode
Users can enable and disable Work Mode. Work Mode protects your network and devices. When enabled, each network access attempt is evaluated against the access control list (ACL) rules and specified network protection settings that are configured for your environment. The ACL defines allowed and blocked destinations on private and public networks. If allowed, the network traffic is sent through a secure tunnel to the
CylanceGATEWAY
cloud services.
Safe Mode support for
macOS
and
Windows
You can enable Safe Mode for users. With Safe Mode,
CylanceGATEWAY
blocks apps and users from accessing potentially malicious destinations and enforces an acceptable use policy (AUP) by intercepting DNS requests. The
CylanceGATEWAY
cloud services evaluate each DNS query against the configured ACL rules and network protection settings (for example DNS Tunneling and Zero Day Detections such as Domain Generation Algorithm (DGA), Phishing, and Malware), and then instructs the agent to allow or block the request in real time. If allowed, the DNS request completes normally over the bearer network. Otherwise, the
CylanceGATEWAY
agent overrides the normal response to prevent access.
When enabled, Safe Mode will protect all DNS traffic that does not use the
CylanceGATEWAY
tunnel (for example, per-app tunnel access or split tunneling).
Start the agent or enable Work Mode automatically on
macOS
and
Windows
In the Gateway Service policy, you can force the
CylanceGATEWAY
agent on
macOS
or
Windows
devices to automatically run when users log in or to automatically enable Work Mode when the agent starts. Your policy settings can override the "Start
CylanceGATEWAY
when I sign in" and "Enable Work Mode automatically" settings in the agent, but users can still manually enable and disable Work Mode after the agent starts or close the agent.
Integrate with MDM solutions
You can connect
Cylance Endpoint Security
to
BlackBerry UEM
or
Microsoft Intune
so that
Cylance Endpoint Security
can verify whether
iOS
or
Android
devices are managed by
UEM
or
Intune
. You can specify whether devices must be
UEM
or
Intune
managed before they can use
CylanceGATEWAY
. For more information on network services, see Connecting
Cylance Endpoint Security
to MDM solutions to verify whether devices are managed
.
Per-app tunnel access on
macOS
and
iOS
On
macOS
and
iOS
devices under Mobile Device Management (MDM), you can designate which apps are allowed to use the
CylanceGATEWAY
Work Mode tunnel. You can use this to allow work use of bring-your-own-devices without extending the Work Mode access to all apps on a device.
Per-app tunnel support on
Windows
and
Android
On
Windows
and
Android
devices, you can specify or restrict which apps can use the
CylanceGATEWAY
tunnel.
Continuous evaluation of network destinations
BlackBerry
uses machine learning, IP reputation, and risk scoring to maintain an ever-evolving list of malicious Internet destinations.
CylanceGATEWAY
blocks devices from connecting to known and unknown phishing domains and associated IP and FQDN destinations, saving your organization the work of manually compiling and maintaining its own list.
Threat protection
CylanceGATEWAY
uses machine learning to continuously protect your organization's network from threats by continuously monitoring network connections for potential threats. When an anomaly is identified, it is subsequently blocked or alerted upon based on the risk level that is set in the network protection settings.
  • Endpoints are protected against newly emerging network threats and established malicious destinations. Identified anomalies (for example, zero day, phishing domains, and command and control (C2) beacons)
  • DNS tunneling anomalies are detected based on CylanceGateway's analysis on the DNS traffic from the client to the attacker's DNS server.
Evaluate the risk level of a network destination
You can use the management console to evaluate the risk level and identify the category and subcategory of network destinations as they would be analyzed and determined by the
CylanceGATEWAY
cloud services.
Multiple private network support
You can deploy multiple
CylanceGATEWAY Connectors
from one
Cylance Endpoint Security
tenant to allow access to more than one of your private networks (for example, segments, data centers, and VPCs) which are both in an on-premises and cloud environment. You can view the
CylanceGATEWAY Connectors
that are associated with each specified Connector Group. You can create a maximum of eight connector groups and assign a maximum of eight
CylanceGATEWAY Connector
s to each group.
Segmented private network access
You can install
CylanceGATEWAY Connectors
on-premises and on private cloud networks to provide network access to remote devices without changing network topology or routing, and without opening firewall holes for incoming traffic. Access through
CylanceGATEWAY
offers strong isolation; only the parts of the network you choose are exposed to endpoints, and endpoints are not exposed to the whole private network. The
CylanceGATEWAY Connector
can be deployed in an
AWS
,
vSphere
,
ESXi
,
Microsoft Entra ID
, or
Hyper-V
environment.
Monitor network access and traffic patterns
The
CylanceGATEWAY
dashboard in the management console displays multiple widgets that show connections, usage patterns, and alerts to help you monitor network traffic.
Specify network protection configurations
In the Network Protection screen, you can specify whether allowed network events (for example, Destination reputation and Signature detections) that are below the set minimum risk level are displayed as anomalies in the Network Events screen. If the allowed events are disabled, they are displayed as normal allowed traffic. Additionally, you can configure the SIEM solution or syslog support to only send blocked events. These features introduce more granular control over Network Protection and the SIEM solution or syslog and can help reduce alert fatigue.
Specify network protection settings to send to the Alerts view
In the Network Protection screen, you can specify the detections (for example, destination reputation, Signature detections, DNS Tunneling, and Zero Day) that you want to send to the Alerts view. Blocked and allowed ACL events are not shared to the Alerts view. This feature introduces more granular control over the alerts that are displayed in the Alerts view.
OS-specific ACL rules
You can create ACL rules and apply them to a specific OS. For example, you can allow access to some resources to only desktop devices (
macOS
and
Windows
).
One touch SaaS configuration
You can easily configure access to SaaS applications using the network services.
CylanceGATEWAY
streamlines SaaS app support and reduces the time required to enable SaaS app connectivity in the ACL rules that you configure for your environment. For more information on network services, see Define network services.
Content filtering
The ACL rules and the network protection settings that you configure for your environment filter the content and destinations that your users can access. This uses machine learning and ACL rules to ensure that users and devices comply with your organization's acceptable use and regulatory requirements. 
NAT Details reporting
You can filter events based on the tunnel IP address (BlackBerry source IP) to identify the tunnel IP address used by users to access external destinations.
The
CylanceGATEWAY Connector
provides additional information on UDP and TCP flows that flow through the tunnel to your private network after Network Address Translation (NAT) is applied (for example, Private NAT Source IP and Private Source Port). This allows you to identify the source IP address and the port number of an event that has been identified as potentially malicious or blocked and traverses your private network.
Web access firewall
CylanceGATEWAY
protects devices and your private networks by filtering, monitoring, and blocking traffic to potentially suspicious destinations.
CylanceGATEWAY
completes this by applying ACL rules that are configured for your environment and the network protection settings that you have specified. See the following for more information:
Support for IP-pinned services
Most SaaS applications allow source IP pinning to limit access only to connections from a specific range of trusted IP addresses. By limiting users to connections only through trusted entry points, organizations have an additional level of verification that the user is entitled to use the service. Your organization may already use this method to limit access to a SaaS application to connections from IP addresses used by devices connected to your organization's network. For users working remotely without using
CylanceGATEWAY
, this means that all traffic between remote devices and a SaaS application must travel over VPN to your network and then to the SaaS application.
CylanceGATEWAY
allows you to reserve
CylanceGATEWAY
IP addresses that are dedicated to your organization. You can use these IP addresses for source IP pinning in addition to your organization's IP addresses, providing the same level of security without requiring remote users to be connected to your organization's VPN.
Industry-leading tunnel technology
CylanceGATEWAY
provides advanced layer 3 encryption for IP tunnels carrying TCP, UDP, ICMP, and real-time, low-latency traffic.
Android
and
iOS
support
The
CylancePROTECT Mobile
app sends traffic through the tunnel to the
CylanceGATEWAY
cloud services and provides users with connection statistics, status information, and the ability to disable Work Mode and stop using
CylanceGATEWAY
for connections.
Windows 10
,
Windows
11, and
macOS
support
The
CylanceGATEWAY
agent that you install on devices sends traffic through the tunnel to the
CylanceGATEWAY
cloud services and provides users with connection statistics, status information, and the ability to disable Work Mode and stop using
CylanceGATEWAY
for connections.
Split tunneling
You can allow remote users to connect to safe public Internet sites directly over the Internet without tunneling through
CylanceGATEWAY
.
You can specify those destinations that must use the tunnel and the destinations that cannot use the tunnel.
When enabled, split DNS queries allow DNS lookups for the domains that are listed in the Private Network > DNS > Forward Lookup Zone configuration to be completed through the tunnel where network access controls are applied. All other DNS lookups are completed using your local DNS. If you enabled Safe Mode, DNS traffic that does not use the Gateway tunnel is protected by Safe Mode.
Android
and 64-bit
Chromebook
devices will use the tunnel where network access controls are applied.