Skip Navigation

Configure network protection settings

You can specify the detections that you want to enable and display on the Network Events screen, as well as the information that is sent to the SIEM solution or syslog server. You can also configure
CylanceGATEWAY
to display a message to users whenever
CylanceGATEWAY
blocks a connection to a potentially malicious destination. For information on the available risk levels, see Destination reputation risk threshold. When you configure network protection settings,
CylanceGATEWAY
will generate alerts that are displayed in the Alerts view. For more information, see Managing alerts across Cylance Endpoint Security services.
Verify that "Check access attempts against Network Protection" is selected for each ACL rule. For more information on ACLs, see Controlling network access.
  1. On the menu bar, click
    Settings > Network
    .
  2. Click the
    Network Protection
    tab.
  3. Do any of the following:
    Task
    Steps
    Specify the detections that you want to enable and whether to notify users when they are blocked due to detections.
    1. Click the
      Protect
      tab.
    2. If you want users to see a message when
      CylanceGATEWAY
      blocks a connection, select
      Display a blocked notification message on devices
      .
    3. In the
      Message
      field, type the message that you want to display to users.
    4. To turn on signature detection, select
      Enable signature detection
      .
      When enabled, alerts are generated for blocked signature detections and display in the Alerts view. When disabled, alerts are not generated. For more information, see Managing alerts across Cylance Endpoint Security services.
    5. To turn on destination reputation, select
      Enable destination reputation
      and select the minimum risk level of potentially malicious IP addresses and FQDNs to block.
      When enabled, alerts are generated and displayed in the Alerts view based on the risk level that you have set. For example, if you select the risk level of "Medium and higher", alerts that are medium or high risk will display in the Alerts view. When disabled, alerts that
      CylanceGATEWAY
      considers high risk will be generated and displayed in the Alerts view by default.
    Specify and control the detections to display in the Network Events screen.
    If you enable Traffic privacy and the network access attempts match the ACL rule, the network access attempts are not displayed in the Network Events screen.
    1. Click the
      Report
      tab.
    2. To display the signature detections for network events that are allowed, enable
      Display allowed signature detection events
      . By default, signature detections that are blocked automatically are displayed in the Network Events screen. 
    3. To display destination reputation detections for network events that are allowed, enable
      Display allowed destination reputation events
      and select the minimum risk level of potentially malicious IP addresses to display. If this option is disabled, signature events will be captured as normal allowed traffic.
    4. To display DNS tunneling detections, enable
      Display DNS tunneling detections
      and select the minimum risk level of potential threats based on analysis of the DNS traffic from the client to the DNS server. By default, the risk level is Medium.
    5. To display Zero Day detections, enable
      Display Zero Day detections
      and select the minimum risk level of newly identified malicious destinations that have not been identified previously. By default, the risk level is Medium.
    Specify and control the detections to display in the Alerts view and to send to the SIEM solution or syslog server, if configured.
    If you enable Traffic privacy and the network access attempts match the ACL rule, the network access attempts are not sent to the SIEM solution or syslog server, if configured.
    1. Click the
      Share
      tab.
    2. To send allowed or blocked network events and alerts that have signature detections, enable
      Share signature detection events
      . When enabled, the blocked signature detections are displayed in the Alerts view and sent to the SIEM solution or syslog server, by default. Optionally, select
      Allowed events
      to send allowed events.
    3. To send network events and alerts that have destination reputation detections and were allowed based on the minimum risk level that you set or blocked, enable
      Share destination reputation events
      . When enabled, destination reputation events that are blocked are displayed in the Alerts view and sent to the SIEM solution or syslog server, by default. Optionally, select
      Allowed events
      to send allowed events.
    4. To send network events and alerts that have DNS tunneling detections based on the minimum risk level that you set, select
      Share DNS tunneling detections
      . By default, the risk level is Medium.
    5. To send network events and alerts that have Zero Day detections based on the minimum risk level that you set, select
      Share Zero Day detections
      . By default, the risk level is Medium.
    6. To send network events that are blocked by ACL rules, enable
      Share blocked ACL events
      . Blocked and allowed ACL events are not displayed in the Alerts view.
  4. Click
    Save
    .