Suspicious Endpoints

Suspicious Endpoints provides security services for endpoints. Configuring Suspicious Endpoints provides network access control for endpoints on which C&C callbacks above a configured threshold are detected.

Note:

  • Suspicious Endpoints does not provide endpoint checking and compliance for IPv6 endpoints.

  • If a NAT device or a proxy is between the Cloud Edge gateway and the endpoint, Cloud Edge is not able to detect the client's real IP address, and instead, Cloud Edge counts the C&C callback event to the NAT/proxy device. Therefore, any future traffic from the NAT/proxy device that triggers a violation will be blocked or monitored, depending on the configured settings. This behavior might not be as expected.

What You Can Specify After Enabling Suspicious Endpoints

You must enable this feature. The default is disabled.

After you enable the feature, you can specify what action (block or monitor) to take if Cloud Edge detects C&C callback detections on the endpoint that are above the configured threshold.

The threshold is reached when a specified number of events is detected over a specified time period. You can configure the number of events and the time period:

  • Events (50 default)

    Range: 1-1000

  • Time Period (default 1 hour)

    Valid time periods: 30 minutes, 1 hour, 6 hours, 12 hours, 1 day

Cloud Edge synchronizes information with the endpoints periodically to get updated information.

Actions You Can Specify

If the compliance check finds that an endpoint violated the threshold settings, Cloud Edge can take one of two courses of action:

  • Block

    All access to the Internet is blocked.

    Exceptions: Endpoints are not blocked if the traffic/URLs are in the global approved list. Traffic to DNS and DHCP are not blocked.

    If an endpoint is blocked, the client browser is sent the Suspicious Endpoints Violation notification page.

    Note:

    If you set the action to Block, suspicious endpoints cannot access the Internet.

  • Monitor

    Access to the Internet is allowed, but the suspicious endpoint is added to the violation list.

How You Can Use the Violation List

You can use the Violation List section to view information about all endpoints with suspicious activity detections that are above the threshold.

  • Cloud Edge begins to populate the violation list with endpoints that exceed the threshold after enabling Suspicious Endpoints.

  • If the action is set to Block, you can exempt specific endpoints in the violation list from being blocked by clicking on Dismiss in the appropriate row.

How You Can Use the List on the Troubleshooting Page

If the action is set to Block, you can view the list on the troubleshooting page to see which endpoints are blocked because of violations.

If the Cloud Edge gateway is offline, you view the list, but cannot perform operations, such as Dismiss.

Parent topic: Managing Network Access Control