Using Guided Setup for No Sky ATP (No Selection)
Guided Setup is the most efficient way to complete your initial configuration. Locate Guided Setup from the Configuration > Guided Setup > Threat Prevention menu.
You would make no Sky ATP selection to configure SDSN using only custom feeds. Custom feeds are the only threat prevention type available if you make no selection for Sky ATP Configuration Type in the Policy Enforcer Settings page.
Before you begin the guided setup process, you must enter the IP address and login credentials for the policy enforcer virtual machine on the Policy Enforcer Settings page. If you haven’t yet done that, go to Administration > Policy Enforcer > Settings and enter the necessary information. See Policy Enforcer Settings for more information.
There are some concepts you should understand before you begin the configuration. It is recommended you read about them here in advance. Policy Enforcer Configuration Concepts.
The Guided Setup process offers four steps for configuring threat prevention with custom feeds (No Sky ATP selection). Click Start Setup to begin.
- Secure Fabric—Secure Fabric is a collection
of network devices (switches, routers, firewalls, and other security
devices), used by users or user groups, to which policies for aggregated
threat prevention are applied. Once created, secure fabric is located
under Devices. For secure fabric, the following is configured:
Sites—A site is a collection of network devices participating in threat prevention. Using quick setup, you can create your own site, but note that a device can only belong to one site and you must remove it from the any other site where it is used to use it elsewhere.
Click Add Devices in the Device Name column or in the IP address column to add devices to a site. Using the check boxes in the device list, you should indicate which devices are firewalls or switches.
- Policy Enforcement Group—A policy enforcement
group is a grouping of endpoints ready to receive advance threat prevention
policies. Create a policy enforcement group by adding endpoints (firewalls
and switches) under one common group name and later applying a security
policy to that group. For policy enforcement group, the following
Once configured, policy enforcement groups are located under Configure > Shared Objects. A policy enforcement groups has the following fields:
Name and Description.
Group Type—IP Address, Subnet, or Location
Endpoint—IP addresses included in the group
- Custom Feeds— Policy Enforcer uses threat
feeds to provide actionable intelligence to policies about various
types of threats. These feeds can come from different sources. In
this case, the feeds are customized by adding IP addresses, domains,
and URLs to your own lists.
The following types of custom threat feeds are available:
Dynamic Address—A dynamic address is a group of IP addresses that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy.
Whitelist—An allowlist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the allowlist does not have to be inspected for malware.
Blacklist—A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Infected Host—Infected hosts are hosts known to be compromised.
- Threat Prevention Policy—A threat prevention
policy requires you to create a name for the policy, choose one or
more profile types depending on the type of threat prevention this
policy provides (infected hosts), and select a log setting. Once configured,
you apply policies to policy enforcement groups.
Once configured, threat prevention policies are located under Configure > Threat Prevention > Policies. A policy has the following fields:
Name and Description.
Profiles—The type of threat this policy manages:
Infected Hosts—An infected host profile would provide information on compromised hosts and their associated threat levels. Host information includes IP address, threat level, blocked status, when the threat was seen, command and control hits, and malware detections.
Logging—All traffic is logged by default. Use the pulldown to narrow the types of traffic to be logged.
Group—Once your policy is created, it is applied to the policy enforcement group.
- The last page is a summary of the items you have configured using quick setup. Click OK to be taken to the Policies page under Configure > Threat Prevention > Policies and your policy is listed there.
- You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.