Configure Advanced Threat Defense
You can configure the use of Advanced Threat Defense for additionally scanning web objects after they have been scanned by Web Gateway. Another option is to let a scanning report that has been generated for a web object by Advanced Threat Defense be evaluated on Web Gateway to handle access to this object.
If an existing scanning report for a web object is evaluated, Web Gateway will not trigger a new additional scanning run by Advanced Threat Defense for this object.
Configure scanning by Advanced Threat Defense
Configure additional scanning by Advanced Threat Defense after a scanning run by Web Gateway has been completed.
- Configure Advanced Threat Defense to integrate it into your network.
For more information, see the Skyhigh Security Advanced Threat Defense Product Guide. - On the user interface of Web Gateway, complete the following activities:
- Import the rule set for one of the two additional scanning workflows from the rule set library. These rule sets are located in the Gateway Anti-Malware rule set group.
- Advanced Threat Defense — For forwarding web objects depending on the additional scanning
On the rule sets tree, place this rule set after the rule set for scanning by Web Gateway. By default, this is the Gateway Anti-Malware rule set. - ATD - Offline Scanning with Immediate File Availability — For forwarding web objects before the additional scanning
After importing this rule set, the following two rule sets appear on the rule sets tree. - ATD - Init Offline Scan — This rule set that initiates the additional scanning.
On the rule sets tree, place this rule set after the rule set for scanning by Web Gateway. By default, this is the Gateway Anti-Malware rule set. - ATD - Handle Offline Scan — This rule set handles the additional scanning once it has been initiated.
On the rule sets tree, place this rule set after the rule sets that perform global or common activities and before the rule sets that perform particular filtering activities.
For example, on the default rule sets tree, place this rule set after the Common Rules rule set and before the Media Type Filtering rule set.
- To enable monitoring of Advanced Threat Defense scanning activities on Web Gateway, import the ATD Scanning Log and Block on ATD Errors rule sets from the rule set library and add them to the existing Log Handler and Error Handler rule sets, respectively.
- Add media types to the list for supported media types or remove them as needed. After importing either of the library rule sets, the name of this list is Advanced Threat Defense Supported Types.
NOTE: After importing a rule set, you can work with this list on the key elements view of the rule set.
- Configure the settings for scanning by Web Gateway
By default, the name of these settings is Gateway Anti-Malware
NOTE: After importing a rule set, you can work with this list on the key elements view of the rule set.
- Configure the settings for scanning by Advanced Threat Defense.
After importing either of the library rule sets, the name of these settings is Gateway ATD
NOTE: After importing a rule set, you can work with these settings on the key elements view of the rule set.
- Save your changes.
Configure use of an existing Advanced Threat Defense scanning report
If you do not want a new scanning run to be performed on a web object, you can let an existing Advanced Threat Defense scanning report be used to evaluate the web object.
There are several options for using an existing scanning report. The following task assumes that:
- Scanning reports were generated for web objects that were uploaded manually to Advanced Threat Defense and scanned.
- Web Gateway allows access if a report shows that a web object is not infected and blocks it if no report exists.
Complete the following high-level steps:
- Create a rule set for the rules that handle the use of an existing Advanced Threat Defense scanning report.
- In this rule set, create the following
- A rule that retrieves a scanning report for a file and blocks access to a file if no report exists for it
- A rule that evaluates a scanning report and blocks a file that is infected according to the report
- Configure the Gateway ATD settings of the Anti-Malware module.
- Make sure Re-use previous detection ... is selected.
- [Optional] Under Maximum detection age, modify the time limit for excluding older reports as needed. This limit is 30 minutes by default.
- Save your changes.