Configuring network protection Skip Navigation

Configuring network protection

You can configure how
CylanceGATEWAY
detects and reacts to threats in various ways. When you configure your access control list (ACL) rules to allow access to destinations,
CylanceGATEWAY
can still block the user from accessing the destination if a potential threat is identified. To enable the additional network protection, ensure that each ACL rule also has the "Check addresses against network protection" parameter selected. This setting is enabled by default.
  • Intrusion protection: You can use intrusion protection to enable deep network threat detection using the network connection’s signatures. When intrusion protection is enabled,
    CylanceGATEWAY
    automatically blocks connections where threats are detected if the ACL rule matches the destination and checks the network protection. When intrusion protection is disabled, threats are logged but the connection is not blocked. For more information on a list of anomalies and their actions, see viewing network activity. Intrusion protection is enabled by default.
  • Destination protection: You can use destination reputation to block potentially malicious IP addresses and FQDNs that match the risk level that you specify (low, medium, or high). When enabled, the default risk level is high.
    CylanceGATEWAY
    logs and automatically blocks connections to the destinations that match the set risk level when the destination matches the ACL rule and checks the network protection. When destination protection is disabled, threats are logged but the connection is not blocked. For more information on a list of anomalies and their actions, see viewing network activity.  Destination reputation is disabled by default.
    Risk levels use a combination of machine learning (ML) models and static IP reputation database to determine if a destination might contain potential threats.
    • ML models: The ML models assign a confidence level to destinations that your users might access. ML models continuously learn whether a destination might contain potential threats.
    • IP reputation databases: The IP reputation database provides a confidence level to IP addresses from open and commercial IP reputation feeds.
      CylanceGATEWAY
      references the reputation feeds to determine the risk level of an IP address.
      CylanceGATEWAY
      considers the number of vendors that have convicted a specific destination and the dependability of the sources before it assigns a risk level (for example, if the majority of sources and IP reputation engines identify a destination to contain potential threats,
      CylanceGATEWAY
      will assign the destination a risk level of high. For more information on the risk levels, see Destination reputation risk threshold