-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Capture ATP is not scanning files
12/13/2023 
26 People found this article helpful
258,150 Views
Description
This article describes the steps to perform while troubleshooting the Capture ATP when it does not scan files.
Sometimes, files are not scanned and therefore cannot be seen under scan history. This document will help to analysis the issue.
Cause
This can be related to following:
-Misconfiguration
-HA Mismatch serial number in setting up HA primary and secondary.
-DPI SSL not working
-File size more than 10 Mb
-Same file is scanned twice
-GAV related
-Exceptions
-Cache full
Resolution
1. First, check if all the settings are correct and the file types are correctly selected.
2. HA Mismatch serial number in setting up HA primary and secondary.
This is possible after RMA, if you see this problem after RMA there is a big possibility that is caused due to HA Mismatch serial number.
a) Verify HA association on mysonicwall.com ,and ensure that the primary unit has same serial number as the one listed mysonicwall.com
b) Verify TSR and ensure the Serial number setup for Primary and Secondary Firewall are the same as the one on mysonicwall.com
TIP: If you find out there is HA Mismatch serial number do the following:
1. Disable HA on the actual primary firewall and take configuration from the firewall that is primary as per mysonicwall.com association.
2. Hard reset both the units.
3. Boot into default configuration on same firmware from Safe mode page.
4. First power up the actual Primary device as per the mysonicwall.com association.
5. Import the previously taken backup
6. Keep the HA setting disable, and register the unit with mysonicwall in the License page.
7. Power up secondary the same way safe mode -> boot into default configuration
8. Please, do not connect the HA cable yet.
9. Enable HA on the primary device that was up. Setup the Serial numbers correctly in HA settings.
10. Connect the Secondary to Primary on HA ports as configured in the HA setting, only the HA cable for now.
11. Once secondary shows standby in HA status of primary, then connect all other network cables.
12. Once everything is connected, then failover to Secondary and register the device and sync license.
13. Test the Capture ATP setup, Submit a Sample.
- Navigate to Policy | Capture ATP | Scanning History and click Submit a Sample box for Submit a Sample dialog box.
- Browse and select a file, click the Upload button to send.
4. Capture Advanced Threat Protection Feature Overview | SonicWall
Under advanced option, check if there are any exclusions and the system on which a test is performed is not under the exclusion list (if there is any).
Also confirm if there any file type is excluded under advance option.
File size should be not more than 10 Mb, it can be confirm on the below snapshot under maximum file size to scan option.
Do check out the below KB to reset the cache and few other steps:
Capture ATP does not inspect files or it takes too long | SonicWall
Reset of the cache is necessary if we are trying to download the same file again.
Make sure that GAV (also be enabled on the concerned zone) and DPI SSL are enabled (also enabled on access rule).
Check for the ATP server IP on TSR and try to run a capture and see if there is any packet matching the ATP server IP.
If not, then packets are not going through ATP server and therefore we do not see any scan happening.
It must also be confirm if the website is showing the SonicWall DPI SSL certificate under "issued by". If it does not, then scan will not work.
Just download the DPISSL certificate and run it on the client (not to be installed as User but on local machine).
Check, for any exclusion under the advanced option. Confirm the client IP and check the exclusion list if any.
Lastly, check the GAV if it is also configured properly.
Click on configure under GAV, and check for any exceptions over there.
Remove the affected client or disable the exception for confirmation.
All the above steps will help to fix the issue.
NOTE: if block file till verdict is returned is selected, then we have to try to download the file twice for it to work.
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
YES
NO