Is it possible to have a small presentation about how ATP works ?
What are the expected behaviour in the graphical interface and in the logs if you have an ATP present in your network ?
Do you know how we can test this features in details ?
Is it possible to have a small presentation about how ATP works ?
What are the expected behaviour in the graphical interface and in the logs if you have an ATP present in your network ?
Do you know how we can test this features in details ?
You can trigger detection-events for testing with your webbrowser on a client.
Surf to one of these URLs:
sophostest.com/highrisk
sophostest.com/malware/index.html
Please forgive me if I am hijacking this thread, but I see results that I cannot explain:
* If I connect from a client browser through the UTM to a page that I know should be blocked, the UTM returns the appropriate "Content blocked" page. Here are example pages that I tried, which are blocked by the UTM, just as you would expect:
www smith (hyphen) wesson com (weapons)
www play boy com (Por ography)
* If I connect from a client browser through the UTM to any of the sophostest.com links, I see the designated Sophos web page, not the UTM "Content blocked" page. Here are example pages that are not blocked by the UTM, and I do not understand why they are not blocked:
sophostest.com/weapons/index.html
sophostest.com/adult/index.html
Obviously the UTM is doing its job correctly for real websites, but I expected to see the content blocked for those sophostest.com webpages that match website categories I selected on the URL Filtering page. The sophostest.com website is designed to test UTM website blocking, right?
Yes, I cleared the browser caches, and ran the tests from more than one client system. What obvious thing am I missing?
Hello UTMADM
That's probably, because the sophostest.com page originally was built for the "classic" sophos products as the SWA Web Appliance, which uses a different URL Database as the UTM does. So the category testpages on that site will mostly not work for UTM except of
Sophos Web Security and Control Test Site
Sophos Web Security and Control Test Site
Which should trigger the ATP feature of UTM 9.2
/Sascha
Hello Sascha,
Thank you for the clear and understandable explanation. The links you listed do not trigger blocking either. Perhaps I am still missing a setting somewhere. More likely, the same explanation applies.
Advanced Threat Protection
A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: C2/Generic-A - Viruses and Spyware - Web Threat, Virus and Spyware Detection and Removal | Sophos - Threat Center - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Next-Gen Firewall Solutio
Time...........: 2014-02-06 22:33:37
Traffic blocked: yes
Internal source IP address or host
Thank you for the clear and understandable explanation. The links you listed do not trigger blocking either. Perhaps I am still missing a setting somewhere. More likely, the same explanation applies.
I am running the UTM in a test configuration. Today I updated it to version 9.108-23, which was just released today via Up2Date.
