On–Premises Capabilities

The following table explains the Cloud Edge capabilities available on-premises.

For more information about IPv6 support for on-premises capabilities, see Support for IPv6.

Table 1. Cloud Edge On–Premises Capabilities



High Availability (HA) Groups

You can configure two registered gateways as an HA Group to provide high availability access. If one gateway is down, then the other gateway will take over and ensure that the network traffic is not down. An HA Group can also increase network traffic efficiency.

Advanced Firewall

Easily deploy and manage the next-generation firewall by blocking attacks while allowing good application traffic to pass.


Leverage multiple security components and antivirus protection based on application content scanning for better protection with lower latency and improved user experience.

Spam and Anti-Malware scanning When email security is set to local scan, Cloud Edge locally manages and provides spam and anti-malware protection.

The default setting for email security is cloud scan. Cloud Edge can automatically change the setting to local scan in certain cases, including if there are network issues.

Email Reputation Services Use Trend Micro Email Reputation Services (ERS) to detect and block email messages based on the reputation of the mail sender.


Identify and stop many active threats, exploits, back-door programs, and other attacks, including denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, passing through the device. An intrusion prevention system (IPS) bolsters a firewall’s security policy by ensuring that traffic allowed by the firewall is further inspected to make sure it does not contain unwanted threats.

Application control

Automatically discover popular Internet applications and control access to them using policies.

Network configuration

View and edit detected network interfaces, or modify physical L2 and L3 port configurations. The following IPv4 configurations are supported for L3 ports:

  • Dynamic Host Configuration Protocol (DHCP)

  • Static route configurations by IP address and netmask

  • Point-to-point Protocol over Ethernet (PPPoE)


Transparently bridge two interfaces and filter network traffic to protect endpoints and servers with minimal impact to the existing network environment. Spanning Tree Protocol (STP) ensures a loop-free topology for any bridged Ethernet local area network.

Bridge Mode deployments support IPv6 functionality.

Software Switch

Configure a Cloud Edge gateway to function as a Software Switch (a variation of Bridge Mode), which eliminates the need for a separate switch in small business environments. Cloud Edge still provides security scanning according to configured policies while configured as a switch.

Software Switch deployments support IPv6 functionality.

Hardware Switch Chipset

The Cloud Edge gateway with hardware switch chipset is both a security gateway and a hardware switch. In Bridge Mode, the gateway provides seven LAN switch ports that connect directly to endpoints, which eliminates the need for a separate switch in many business environments.

You can also deploy the gateway in Routing Mode if desired. Eight LAN ports are available for internal networks when deployed in Routing Mode.

Whether deployed in Routing Mode or in Bridge Mode as a hardware switch, Cloud Edge gateways with hardware switch chipset still provide security scanning according to configured policies.

Bridge Mode deployments support IPv6 functionality.


Configure a Cloud Edge gateway to function as a router while in Routing Mode. The gateway is visible on the network and acts as a layer 3 routing device with security scanning and control capabilities. The Cloud Edge gateway locally manages all IPv4 static routes.

Routing Mode deployments do not support IPv6 functionality.

Bandwidth control

Reduce network congestion by controlling communications, reducing unwanted traffic and allowing critical traffic or services the appropriate bandwidth allocation.

URL filtering

Create and configure unique URL filtering procedures for different profiles. URL filtering, along with WRS, is part of the multi-layered, multi-threat protection solution.


Configure Network Address Translation (NAT) policies to specify whether source or destination IPv4 addresses and ports are converted between public and private addresses and ports.


Configure the following services:

  • Dynamic Host Configuration Protocol (DHCP) servers


Configure IPv4 VPNs.

  • User VPN

    Configure Virtual Private Network (VPN) with the Layer 2 Tunneling Protocol (L2TP) or Secure Sockets Layer Virtual Private Network (SSL VPN).

    Allow iOS and Android mobile device users to easily and securely connect back to the corporate environment by utilizing the built-in IPsec VPN clients. No agent installation is required for the mobile devices.

  • Site–to–Site VPN

    Create encrypted L3 tunnels by using the Internet Key Exchange (IKE) and IP Security (IPsec) protocols.

    You can create a single peer-to-peer VPN tunnel, a star VPN topology with one central hub device and up to four spoke devices, or a full-mesh VPN topology of up to five devices.

You cannot configure VPNs for Cloud Edge gateway models that do not support VPN.


View and analyze audit logs, system events, and VPN logs (if available).

Gateway System Status and Events/Logs

For each gateway, you can view information about the gateway's system status. You can also view information about network events, system events, VPN events (if available), and policy enforcement logs.

You cannot view information about VPNs for Cloud Edge gateway models that do not support VPN.

Gateway Troubleshooting Tools

You can use ping, traceroute, and ARP to troubleshoot gateway IPv4 network connectivity issues.

Integration with Worry Free Business Security Services

Cloud Edge WFBSS Endpoint Protection integrates with WFBSS to provide a compliance check for WFBSS endpoints who have an out-of-date WFBSS Security Agent pattern or who do not have the WFBSS Security Agent installed. Cloud Edge can provide network access control for out-of-compliance endpoints.

Network access control for suspicious endpoints

Cloud Edge provides security services by providing compliance checks for endpoints to see if C&C callbacks above the configured threshold have been detected. Cloud Edge can provide network access control for endpoints who have exceeded the threshold.

Wireless Networks

For Cloud Edge gateways with wireless network functionality, you can configure wireless network access for a main network and a guest network, while controlling access by using MAC address filtering. Cloud Edge provides full security services to both the main and guest networks.

You can configure other networking services on the wireless networks including DHCP services, bandwidth control, NAT, VPN access, and network access control for suspicious endpoints.