Limitations and Precautions for APT Defence

Hardware Requirements

The USG6510E/6510E-POE does not support the APT Defence function.

License Requirements

Interworking between the FW and cloud sandbox function is cloud sandbox detection license-controlled. For details about the license control scopes, see the License Control Items.

Interworking between the FW and local sandbox function is not license-controlled.

Component package Requirements

To use the interworking between the FW and cloud sandbox function, you need to load the cloud sandbox component package. For details about the component package, see Dynamic Loading.

Networking Limitations

• In a hot standby scenario, the active and standby devices must be configured with the same sandbox. Otherwise, the devices may have inconsistent file inspection capabilities.
• In hot standby networking, the malicious file and malicious URL information are not backed up from the active device to the standby one. The malicious file and malicious URL information are stored on the IAE, which does not support hot standby. The standby firewall must scan to obtain malicious file and malicious URL information by itself.
• In the networking with asymmetric forward and return paths, the FW can receive traffic only in one direction, so it may miss certain attack information and cannot effectively defend against APTs.

Cloud Sandbox Usage Limitations

• The FW can connect to the cloud sandbox only through HTTPS but not through a proxy server.
• For now, the cloud sandbox does not support image files, web page files, media files, or other files (including CMD, VBE, RB, PY, POWERSHELL, JSE, WSF, LNK, TXT, and PSD files).
• In NAT scenarios, the FW does not support the cloud sandbox function.

Other Limitations

• APT defense depends on services such as file restoration, file reputation, and application identification. When configuring APT defense, ensure that the file restoration function is normal and enabled, the file reputation database is normal and updated to the latest version, and application identification services are correctly configured. In addition, ensure that the bypass function is disabled for the preceding services.
• When configuring APT defense, ensure that the status check function is enabled on the device. If the status check function is disabled, file-related service sessions may fail to be re-established after being aged. As a result, the file inspection function becomes invalid and files cannot be restored. Consequently, files cannot be sent to the sandbox for inspection.
• The sandbox interworking function can be configured only in the root system. If a firewall has multiple virtual systems, you can configure an APT defense profile in each virtual system. Then, all qualified packets will be sent to the sandbox configured in the root system for detection.
• If the FW is deployed between two routers, and the routers detect each other through BFD, you are advised to properly prolong the BFD time (longer than 100 ms is recommended) to prevent BFD flapping resulting from occasional network congestion.
• APT defense does not support IPv6.
• APT defense does not apply to resumable file transfer.
• When the sandbox collaboration function is configured, the IP address of the FW service interface cannot be in the IP address range of the virtual NIC or sandbox server (192.168.100.2/24 or 169.254.100.100/24). Otherwise, packet loss occurs on the interface.