Pros and cons of enabling APT Blocker in TDR

Hi,

I'm trying to decided if to enable the APT Blocker feature in TDR?
What are the pros and cons of enabling it?
Is it generally recommended best practice to enable it and why its not enabled by default?

Many Thanks

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @HXITAdmin
    APT blocker is able to sandbox specific file types and determine if they may be a threat based on their behavior. It's better at catching new threats because it works on behavior rather than specific definition set.

    If the file APT encounters has never been encountered before, it may take several minutes for the system to produce a result. Aside from that, APT is minimal insofar as performance impact.

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    Hi @HXITAdmin
    APT blocker is able to sandbox specific file types and determine if they may be a threat based on their behavior. It's better at catching new threats because it works on behavior rather than specific definition set.

    If the file APT encounters has never been encountered before, it may take several minutes for the system to produce a result. Aside from that, APT is minimal insofar as performance impact.

    Thanks for the reply James.
    So is it generally recommended best practice to enable it? How come its not enabled by default like the other settings?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @HXITAdmin
    APT sends suspicious files to an external server, which is something customers need to opt into if they'd like to use the service. Additionally, customers with Fireboxes may already be using the service via the proxies on the Firebox and don't wish to use it a second time.

    You can read more about the service here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_sandboxing_c.html

    -James Carson
    WatchGuard Customer Support

  • Thanks again James.
    So if I have mobile users, does TDR still continue to function when they are not behind our Fireboxes or is it dependent on host senesors being behind a Firebox?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @HXITAdmin
    If you are having the users remote in via one of the VPN solutions, yes. If they aren't then no, they would not be protected by APT on the firewall.

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    @HXITAdmin
    If you are having the users remote in via one of the VPN solutions, yes. If they aren't then no, they would not be protected by APT on the firewall.

    Not specifically APT but any of the TDR functions? Do they need to be behind the firewall for any of the TDR functions to work?

    Thanks.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @HXITAdmin
    TDR still functions, it just does not have the network sensor (the firebox) when the workstation is not behind it.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_firebox_enable_c.html

    All of the work is done on the host sensor, the network sensor is mainly for monitoring and logging the system.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.