This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

advanced threat protection

https://community.sophos.com/kb/en-us/123176

http://docs.sophos.com/nsg/sophos-firewall/v16056/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/ATPSettings.html

In advanced threat protection general settings, why can existing host/group objects only be used in the "Network / Host Exceptions" field but not the "Threat Exceptions" field? It seems that only individual manually entered ip addresses, host names, or domain names can be entered as a Threat Exception which doesn't make sense yet. Also not seeing a way to include a subnet there even manually. Goal of this is ensuring ATP isn't negatively impacting traffic to/from external voip provider networks. Voip calls have been terminating randomly lately on XG210_WP03_SFOS 17.5.3 MR-3 + 17.5.4 MR-4 with nothing logged by ATP but the timing of the start of that problem coincides with a few changes including enabling ATP so it's on my list of areas to isolate.

This thread was automatically locked due to age.

Parents

0 willie aames over 6 years ago

After enabling the ATP feature (just logging for now) the IPS is catching traffic from CDNs used by Microsoft to distribute updates to WSUS servers. Ran a pcap on my WSUS box to verify that the traffic was indeed related to Microsoft Update and nothing truly malicious.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 willie aames over 6 years ago

After enabling the ATP feature (just logging for now) the IPS is catching traffic from CDNs used by Microsoft to distribute updates to WSUS servers. Ran a pcap on my WSUS box to verify that the traffic was indeed related to Microsoft Update and nothing truly malicious.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data