Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Capture ATP - maximum number of Files per hour

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

while browsing through a TSR I've got reminded of a limit I was curious about for a while. It raised my attention when the CSa got announced.

The value for "Maximum number of files transferable per hour:" for Capture ATP on a TZ 400 and 670 shows 50 and on a NSA 4600 the value is 900.

Aren't these values ridicules low, considerung the potential power of a TZ 670 for example? Even the smallest customer is hitting these limits pretty fast.

--Michael@BWC

Category: Entry Level Firewalls
Reply

Answers

  • BrookChelmoBrookChelmo SonicWall Employee

    Well, according to the data that I saw in the past, even the largest firewalls were not submitting that many an hour. If a small office was pulling down 50 files an hour that were neither on the allow or block list, I would like to know what is happening. I will ask the team to see what they are seeing from the data.

  • @BWC , a file will only be sent once and then we keep the hash for a while so that if someone else downloads it in the future, we can do a static lookup instead of dynamic analysis (actual transfer of the file). It is rare to run into that many unique never-before seen files in such a small time period in one environment but I agree that the Gen7 TZ numbers could be higher than the Gen6 models.

    @Sathya -- can you review this?

  • @BrookChelmo

    I have similar issue at earlier, I don't know is it a bug or something else.

    ATP inspect every JS script from internet. This make the file limit overloaded on few seconds.

    https://community.sonicwall.com/technology-and-support/discussion/1011/ability-to-exclude-extensions-on-atp#latest

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited November 2020

    Hi @BrookChelmo

    thanks for looking into this.

    It was 2018 when I first reported this to my local contacts (SE and Territory Manager) and I'am having somewhat of a Deju-vu because the answer back than was similar. "Our data shows this not relevant".

    This might be true for the majority, but the problem is that there are minorities as well who are decided to go along with Capture ATP.

    Back in 2018 the message "Gateway Anti-Virus Status: Files per hour limit reached. File forwarding to Sandbox not initiated for some file from" was caused by IMAP which is common for smaller customers to have it activated because of the lack of other infrastructure. But I saw this in scenarios like for Software Developers as well, they are downloading like maniacs.

    One other thing which brings the numbers down is probably that many (at least of mine) customers have DPI-SSL disabled because of the ongoing "inconviniences", these files will never be shown to Capture ATP. I don't have any statistics, I'am only seeing this when it's to late. How does the enduser know he reached the limit? "Block until verdict" message might show some information, but if "Allow file download" is selected it's somewhat of a gamble?

    What troubles me that this value is not communicated to the enduser, just put it in the datasheet and we're settled. Noone likes hidden restrictions, transparency is the way to go. Whenver possible I inform my customers with information I scratched from TSRs etc. but IMHO this is the duty of the maker not the vendor.

    --Michael@BWC

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @BWC ,

    As per my awareness about Capture ATP the file limitations / units are same as below;

    1) Maximum 10MB file size (All supported files type)

    2) Hourly / Concurrent limits

    TZ500/600 - 300 Files /hour (5 concurrent)

    NSA 2600/3600/4600 - 900 files /hour (15 concurrent)

    NSA 5600 /6600 - 1500 Files /hour (25 concurrent)

    SM 9200 - 3000 files /hour (50 concurrent)

    SM 9400 - 4500 files /hour (50 concurrent)

    SM 9600 - 9000 files /hour (50 concurrent)

    I dont have much information about the new launch devices about the Capture ATP limitation.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Ajishlal

    that's the listing I've got back in 2018 as well and I guess noone besides SNWL do have the full information because it's not published.

    --Michael@BWC

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @BWC,

    Yes. Sonicwall not published any ware those information.

    But in your initial thread you mentioned that, "Capture ATP on a TZ 400 and 670 shows 50 and on a NSA 4600 the value is 900". so I got curious about those models because as per my knowledge it will support 300 files / hour with 5 concurrent files.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    That's what the TSR was telling me.

    --Michael@BWC

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @BWC ,

    One of my SOHO 250 will do 50 Files /hour. See the TSR screenshot from SOHO 250.


  • BWCBWC Cybersecurity Overlord ✭✭✭

    Yep, that seems the minimum for SOHO 250 up to TZ 400. Same value, as mentioned before, redicules low for Gen7 devices but @MasterRoshi got it addressed.

    --Michael@BWC

Sign In or Register to comment.