04-30-2024 01:57 PM
Hello,
We're currently using Threat Prevention (TP), which is performing well. We've caught dozens of threats and are satisfied with its effectiveness.
I'm now exploring Advanced Threat Protection (ATP) and, to be honest, I'm struggling to make a clear decision about purchasing it. They mention it incorporates inline cloud analysis, which sounds great, but I'm unclear about the specific actions it takes. For instance, if I host a website behind the on-premise NGFW and apply inline cloud analysis to the incoming policy rule, will every HTTP request body be sent for cloud analysis? This could potentially create a bottleneck and cause latency for users. When does it decide to use the local TP algorithm or the cloud one?
From my perspective, it seems very appealing to claim cloud analysis capabilities, but what are the "fine print" details?
04-30-2024 02:23 PM
@chens ContentID marks the traffic to be sent to the cloud but only a fraction of the traffic is sent.
Then the verdicts are cached for future requests to prevent rescanning the traffic in the cloud.
Finally, you can configure the maximum allowed processing time in the cloud before you either allow the traffic to pass through or to be blocked. You also have the option to capture samples in case you let the traffic pass unscanned.
regards
--Richard
04-30-2024 11:34 PM
thanks @rdumoulin
What are the best practices here? if i set 200ms for example (default), how can i set the capture samples that you have mentioned?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
