SonicWall Capture Advanced Threat Protection Review

Enables us to select the file if it's malicious and see what triggered it


How has it helped my organization?

We have only been using it for a short while but it's definitely given us a level of protection at the edge device. We're not at the moment using the Capture endpoint stuff, but we are also looking at that product as well, which actually allows you to run Capture for the client. We use another product for our endpoint solution at the moment. 

What is most valuable?

The reporting that you get from it is the most valuable feature. You can see it via the appliance itself, and also via the MySonicWall account for the registered device. You are able to select the file if it's malicious, and you can select it in the reporting and see what triggered it, and things like that. I found that to be quite useful. 

Also, the ability to be able to actually turn it on and off based on the requirements on the firewall in which you can actually just have it turned on for everyone or you can turn it on based on users, exclusion lists, and things like that. 

What needs improvement?

At the moment it seems to be pretty good. I can't compare it to the competitors' products out there at the moment. I'm aware of Sophos Sandboxing, Sophos Sandstorm product as a similar solution. The advantage of the SonicWall product is that it uses three different virus checking engines, which we find is quite a strong advantage it has over some of the other products. 

Having an on-premise solution as well would be an option for some people, but they'll want to use a cloud solution for their sandboxing. Certain sites would want to keep all the checks done on an on-premise appliance. All the checking, rather than sending that up into a cloud engine.

They should have a virtual appliance that you could deploy on your own infrastructure or your own hosted infrastructure to do all of the virus checking and stuff. Then maybe you would be able to have more control over the files that are getting checked.

They should tie it in with analytics, they're doing a lot with the Google analytics stuff, which Capture is tying in with. They've got the product integrated in with the with email security appliance and the remote access appliances as well, which is quite a strong solution. 

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

It has been stable. We haven't had any major issues. We do have a special client site that has a separate DMZ that uses a lot of PlayStations and games so for testing games and PlayStation stuff that we keep isolated in a separate isolated network. We did find that the Capture with that did cause a few issues with them so we've excluded them from the Capture because they don't need it. They actually download stuff to test, they do certification testing on games, it's basically for the Office of Film and Literature classification, certifications. Things like that can happen, but there are easy ways around the firewall to exclude or manage those. As far as the stability of the product, it hasn't caused a stability issue or anything on the firewalls so far.

What do I think about the scalability of the solution?

Scalability wise, it is really scalable. It also ties in quite well with the DPI and SSL stuff on the firewall. You can inspect HTTP and SSL traffic. The advantage is it works on all the scan ports on the firewall for DPI and SSL. It runs from the lower inboxes right up to the large super message boxes. The product is set up similar across the whole range. It scales quite well. It depends whether they look at it as an on-premise solution as well. It might give some clients an option to scale it a bit better for their site.

Generally, one of our clients is about a 100-user site. We're a 30-user site. There are a few people around 50- to 100-user sites. Mainly around 30- to 50-user sites. We mainly have small and medium businesses that use this solution.

If you previously used a different solution, which one did you use and why did you switch?

We've used SonicWall for quite a while for our clients.

How was the initial setup?

The initial setup was pretty much really straightforward. You just license it on the firewall through the MySonicWall portal. It comes in a bundle with the AGS Global Security Suite License. You just get it activated, licensed, and it just syncs the license to the appliance. Once you've synced it, you just go and activate it in the appliance and turn it on. You tell it what data center you want to use for the cloud and there are about five different data centers that SonicWall provides around the world for the sandboxing. You just tell it what data center you use. Once you do that, it activates on the appliance, and you can then start enabling the scanning. You can just set it up, there's quite an easy option, just to set up a test group if you want to only assign it to do the scanning on a certain subnet on your network, a certain VLAN, or a certain group of workstations. It's pretty straightforward, it's a very straightforward screen to turn on. You can then select what file types you want scanned, for example, PDFs, macros dot files, XLS files. You can select which ones you want to scan and you can turn it on gradually so you can have a test group. You don't have to turn it on globally initially, you can just ebb people on to it. It's definitely straightforward, quite easy to set up, and it's less intrusive for the clients.

It takes half an hour to activate it and set it up, and get it pointing to the data center. Then the strategy really is just selecting the test group users, which you can just create a simple object group on the firewall and add certain test users into that. 

What about the implementation team?

We did the implementation ourselves and for our clients. 

What other advice do I have?

I would recommend this solution. Whether it's the SonicWall solution or a competitive product, firewall product solution that has a similar sandboxing type of thing has become quite an essential part of a security footprint. I would recommend clients utilize technology as part of their assisted solution, whether it's SonicWall or it's Sophos or another competing product.  

They're strong for the small and medium business. They can scale up into the medium enterprise market. They have a strong suite of products. We use the firewall product across all our line of people, and we've had pretty good experience with them.

I would rate it an eight out of ten because their products integrate well. The inspection is quite strong and they don't use proxies. They can scan packets on all ports, not just the well-known ports. On all ports, they can scan the file and they don't have a size limit on the file that they can scan. Whereas some of the other product only inspect the packets up to a certain file size.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Add a Comment
Guest
Sign Up with Email