Does ATP work if XG only used as an internet proxy?

Synchronized Security Features work without Default Gateway.

Simply redirect the "Heartbeat Magic IP" to XG, and XG will build up the communication Channel between all clients. 

The Client will try to reach: 52.5.76.173 and port 8347. Thats the Magic IP. 

If XG is not the Gateway, simply redirect this IP with this Port to XG. 

ATP Should work in such Scenario. But why should there be Drops in ATP? Did you actually use something in ATP? 

At the end of a four support call to try and get synchronized security features working between the XG and Central, a developer was brought onto the call and the first words out of his mouth were "It doesn't work if the XG isn't the default gateway."

You're saying I should put a NAT rule on my external firewall to redirect 52.5.76.173:8347 back to the XG? Is that going to affect my clients' heartbeat to Central?

>"ATP Should work in such Scenario. But why should there be Drops in ATP? Did you actually use something in ATP? "

Don't follow. I'm not seeing anything ATP related

Lets wrap up:

Endpoint talks to a XG Firewall via 52.5.76.173:8347. 

The Endpoint can only talk to one XG at the time. 

XG will intercept this connection. 

So if you have another XG as Gateway, this will not work, but if the XG (as Web proxy) is your only XG, this should work. 

Lets wrap up:

Endpoint talks to a XG Firewall via 52.5.76.173:8347. 

The Endpoint can only talk to one XG at the time. 

XG will intercept this connection. 

So if you have another XG as Gateway, this will not work, but if the XG (as Web proxy) is your only XG, this should work. 

Only one XG. The external firewall is an ASA.

I'll definitely give it a try, thanks.

Hi Robert Russom 

I see this thread was asking about ATP yet you got answers on security heartbeat.

In any case, in order to get effective ATP use of the XG, the XG should be used as the primary DNS server address for the workstations to use.

ATP should work fine without the XG being the default gateway of the network, but will require the XG to be used as primary DNS address.  If this is not done, you will get ATP reports about your primary DNS server in use reaching out to known C2C servers.  Where the actual fact is that the client is doing DNS lookup of the URL and your DNS server is then forwarding the request out.  

Update this thread if you managed to get it working.

Thanks!

Thanks. I can't use the XG as a DNS server, so I'll just have to rely on Central Advanced features and my IPS to block C&C traffic and not worry about the XG's ATP. We didn't get the XG for that anyway, but would have used the feature, if available.