Capture ATP - maximum number of Files per hour

while browsing through a TSR I've got reminded of a limit I was curious about for a while. It raised my attention when the CSa got announced.
The value for "Maximum number of files transferable per hour:" for Capture ATP on a TZ 400 and 670 shows 50 and on a NSA 4600 the value is 900.
Aren't these values ridicules low, considerung the potential power of a TZ 670 for example? Even the smallest customer is hitting these limits pretty fast.
Category: Entry Level Firewalls
Well, according to the data that I saw in the past, even the largest firewalls were not submitting that many an hour. If a small office was pulling down 50 files an hour that were neither on the allow or block list, I would like to know what is happening. I will ask the team to see what they are seeing from the data.
@BWC , a file will only be sent once and then we keep the hash for a while so that if someone else downloads it in the future, we can do a static lookup instead of dynamic analysis (actual transfer of the file). It is rare to run into that many unique never-before seen files in such a small time period in one environment but I agree that the Gen7 TZ numbers could be higher than the Gen6 models.
@Sathya -- can you review this?
I have similar issue at earlier, I don't know is it a bug or something else.
ATP inspect every JS script from internet. This make the file limit overloaded on few seconds.
Hi @BrookChelmo
thanks for looking into this.
It was 2018 when I first reported this to my local contacts (SE and Territory Manager) and I'am having somewhat of a Deju-vu because the answer back than was similar. "Our data shows this not relevant".
This might be true for the majority, but the problem is that there are minorities as well who are decided to go along with Capture ATP.
Back in 2018 the message "Gateway Anti-Virus Status: Files per hour limit reached. File forwarding to Sandbox not initiated for some file from" was caused by IMAP which is common for smaller customers to have it activated because of the lack of other infrastructure. But I saw this in scenarios like for Software Developers as well, they are downloading like maniacs.
One other thing which brings the numbers down is probably that many (at least of mine) customers have DPI-SSL disabled because of the ongoing "inconviniences", these files will never be shown to Capture ATP. I don't have any statistics, I'am only seeing this when it's to late. How does the enduser know he reached the limit? "Block until verdict" message might show some information, but if "Allow file download" is selected it's somewhat of a gamble?
What troubles me that this value is not communicated to the enduser, just put it in the datasheet and we're settled. Noone likes hidden restrictions, transparency is the way to go. Whenver possible I inform my customers with information I scratched from TSRs etc. but IMHO this is the duty of the maker not the vendor.
Hi @BWC ,
As per my awareness about Capture ATP the file limitations / units are same as below;
1) Maximum 10MB file size (All supported files type)
2) Hourly / Concurrent limits
TZ500/600 - 300 Files /hour (5 concurrent)
NSA 2600/3600/4600 - 900 files /hour (15 concurrent)
NSA 5600 /6600 - 1500 Files /hour (25 concurrent)
SM 9200 - 3000 files /hour (50 concurrent)
SM 9400 - 4500 files /hour (50 concurrent)
SM 9600 - 9000 files /hour (50 concurrent)
I dont have much information about the new launch devices about the Capture ATP limitation.
Hi @Ajishlal
that's the listing I've got back in 2018 as well and I guess noone besides SNWL do have the full information because it's not published.
Hi @BWC,
Yes. Sonicwall not published any ware those information.
But in your initial thread you mentioned that, "Capture ATP on a TZ 400 and 670 shows 50 and on a NSA 4600 the value is 900". so I got curious about those models because as per my knowledge it will support 300 files / hour with 5 concurrent files.
That's what the TSR was telling me.
Hi @BWC ,
One of my SOHO 250 will do 50 Files /hour. See the TSR screenshot from SOHO 250.
Yep, that seems the minimum for SOHO 250 up to TZ 400. Same value, as mentioned before, redicules low for Gen7 devices but @MasterRoshi got it addressed.
Resurrecting this post on March 11, 2022, because I just experienced this rather shocking incident with a Gen 7 TZ270W this morning.
My RMM software has an "agent health check" routine that reviews the files that are on the client computer and compares them to a current list in the cloud. It then packages the changed DLLs and EXE files into individual zipped packages for download and installation.
The routine kicked off earlier this morning, following a new RMM agent installation, and every one of the more than 200 files went through the sandbox. Or so I thought.
The "Notice" message - Gateway Anti-Virus Status: Files per hour limit reached. File forwarding to Sandbox not initiated for: - appears 54 times in the past two hours.
So if, on the very odd chance that one of these files contained malicious code (a la Kaseya), without inspection, it is going to end up getting past my firewall and installed on the client's computer.
That's just terrific! Must be one of those BOUNDLESS features they don't talk up...
I honestly don't like it when I have to refer to a past post to re-affirm that a limitation of a security scanning service is not a good thing...
SM 9250 Capture ATP Limitation:
Maximum number of files transferable per hour:
In Appliance mode : 10000.
In Cloud mode : 3000.
Value in use currently : 3000.
Well this is one of these threads which got nowhere, SNWL IMHO never addressed this properly. At least Brook does not have to bother anymore and hopefully Fortinet handles this in a different way.
New Support Case 43967952 - Maximum number of files transferable per hour for Capture ATP is TOO LOW!
Hi Everyone,
Thanks for all your feedback.
This sounds like a product enhancement, handled by our product management team. I'll flag this post with them, to see if it's something we can put on our product roadmap.
Let me know if you have any questions in the meantime.