Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Capture ATP - maximum number of Files per hour

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

while browsing through a TSR I've got reminded of a limit I was curious about for a while. It raised my attention when the CSa got announced.

The value for "Maximum number of files transferable per hour:" for Capture ATP on a TZ 400 and 670 shows 50 and on a NSA 4600 the value is 900.

Aren't these values ridicules low, considerung the potential power of a TZ 670 for example? Even the smallest customer is hitting these limits pretty fast.

--Michael@BWC

Category: Entry Level Firewalls
Reply

Answers

  • BrookChelmoBrookChelmo SonicWall Employee

    Well, according to the data that I saw in the past, even the largest firewalls were not submitting that many an hour. If a small office was pulling down 50 files an hour that were neither on the allow or block list, I would like to know what is happening. I will ask the team to see what they are seeing from the data.

  • @BWC , a file will only be sent once and then we keep the hash for a while so that if someone else downloads it in the future, we can do a static lookup instead of dynamic analysis (actual transfer of the file). It is rare to run into that many unique never-before seen files in such a small time period in one environment but I agree that the Gen7 TZ numbers could be higher than the Gen6 models.

    @Sathya -- can you review this?

  • @BrookChelmo

    I have similar issue at earlier, I don't know is it a bug or something else.

    ATP inspect every JS script from internet. This make the file limit overloaded on few seconds.

    https://community.sonicwall.com/technology-and-support/discussion/1011/ability-to-exclude-extensions-on-atp#latest

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited November 2020

    Hi @BrookChelmo

    thanks for looking into this.

    It was 2018 when I first reported this to my local contacts (SE and Territory Manager) and I'am having somewhat of a Deju-vu because the answer back than was similar. "Our data shows this not relevant".

    This might be true for the majority, but the problem is that there are minorities as well who are decided to go along with Capture ATP.

    Back in 2018 the message "Gateway Anti-Virus Status: Files per hour limit reached. File forwarding to Sandbox not initiated for some file from" was caused by IMAP which is common for smaller customers to have it activated because of the lack of other infrastructure. But I saw this in scenarios like for Software Developers as well, they are downloading like maniacs.

    One other thing which brings the numbers down is probably that many (at least of mine) customers have DPI-SSL disabled because of the ongoing "inconviniences", these files will never be shown to Capture ATP. I don't have any statistics, I'am only seeing this when it's to late. How does the enduser know he reached the limit? "Block until verdict" message might show some information, but if "Allow file download" is selected it's somewhat of a gamble?

    What troubles me that this value is not communicated to the enduser, just put it in the datasheet and we're settled. Noone likes hidden restrictions, transparency is the way to go. Whenver possible I inform my customers with information I scratched from TSRs etc. but IMHO this is the duty of the maker not the vendor.

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @BWC ,

    As per my awareness about Capture ATP the file limitations / units are same as below;

    1) Maximum 10MB file size (All supported files type)

    2) Hourly / Concurrent limits

    TZ500/600 - 300 Files /hour (5 concurrent)

    NSA 2600/3600/4600 - 900 files /hour (15 concurrent)

    NSA 5600 /6600 - 1500 Files /hour (25 concurrent)

    SM 9200 - 3000 files /hour (50 concurrent)

    SM 9400 - 4500 files /hour (50 concurrent)

    SM 9600 - 9000 files /hour (50 concurrent)

    I dont have much information about the new launch devices about the Capture ATP limitation.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Ajishlal

    that's the listing I've got back in 2018 as well and I guess noone besides SNWL do have the full information because it's not published.

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @BWC,

    Yes. Sonicwall not published any ware those information.

    But in your initial thread you mentioned that, "Capture ATP on a TZ 400 and 670 shows 50 and on a NSA 4600 the value is 900". so I got curious about those models because as per my knowledge it will support 300 files / hour with 5 concurrent files.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    That's what the TSR was telling me.

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @BWC ,

    One of my SOHO 250 will do 50 Files /hour. See the TSR screenshot from SOHO 250.


  • BWCBWC Cybersecurity Overlord ✭✭✭

    Yep, that seems the minimum for SOHO 250 up to TZ 400. Same value, as mentioned before, redicules low for Gen7 devices but @MasterRoshi got it addressed.

    --Michael@BWC

  • LarryLarry All-Knowing Sage ✭✭✭✭

    Resurrecting this post on March 11, 2022, because I just experienced this rather shocking incident with a Gen 7 TZ270W this morning.

    My RMM software has an "agent health check" routine that reviews the files that are on the client computer and compares them to a current list in the cloud. It then packages the changed DLLs and EXE files into individual zipped packages for download and installation.

    The routine kicked off earlier this morning, following a new RMM agent installation, and every one of the more than 200 files went through the sandbox. Or so I thought.

    The "Notice" message - Gateway Anti-Virus Status: Files per hour limit reached. File forwarding to Sandbox not initiated for: - appears 54 times in the past two hours.

    So if, on the very odd chance that one of these files contained malicious code (a la Kaseya), without inspection, it is going to end up getting past my firewall and installed on the client's computer.

    That's just terrific! Must be one of those BOUNDLESS features they don't talk up...

  • LarryLarry All-Knowing Sage ✭✭✭✭

    I honestly don't like it when I have to refer to a past post to re-affirm that a limitation of a security scanning service is not a good thing...

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    SM 9250 Capture ATP Limitation:

    Maximum number of files transferable per hour:

       In Appliance mode                 : 10000.

       In Cloud mode                     : 3000.

       Value in use currently            : 3000.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Well this is one of these threads which got nowhere, SNWL IMHO never addressed this properly. At least Brook does not have to bother anymore and hopefully Fortinet handles this in a different way.

    --Michael@BWC

  • LarryLarry All-Knowing Sage ✭✭✭✭

    New Support Case 43967952 - Maximum number of files transferable per hour for Capture ATP is TOO LOW!

  • EnaEna SonicWall Employee

    Hi Everyone,

    Thanks for all your feedback.

    This sounds like a product enhancement, handled by our product management team. I'll flag this post with them, to see if it's something we can put on our product roadmap.

    Let me know if you have any questions in the meantime.

Sign In or Register to comment.