Troubleshooting Capture ATP
03/26/2020 362 13044
This article describes the common steps to adopt when Capture ATP is not working as expected:
- Capture ATP not sending files to the backend for scanning
- Block Until Verdict is blocking all files and a verdict is never returning
- Capture ATP Status page shows no files being sent to the backend during the last few days.
Sometimes Capture ATP stops working due to:
- cache is full
- environmental issues
- packets being dropped on the ISP side
Here's some basic troubleshooting steps and changes that can be applied to fix the Capture ATP on your firewall.
- Make sure to have the 6.2.9 or later firmware version installed: it includes many fixes related to Capture ATP.
- Go to the diag page (on the URL type https://IPofyourSonicWall/diag.html) and check the following options:
- Set UFTP retransmit buffer size: to 10 Mbytes
- Lower the UFTP MTU to 1024bytes
- Enable Pseudo-randomize source port for UFTP
- Click Accept on top of the page
- Clear the following caches on the diag page:
- Reset Capture ATP Cache
- Reset Cloud AV cache
- Reset HTTP Clientless Notification Cache
After applying all the steps above, please restart your firewall (if you have an HA pair you will have to force a failover and then failback).
NOTE: Make sure that ports from 2259 to 2280 are not being blocked by any upstream device. Try to run a packet capture on System | Packet Monitor to see whether the firewall is correctly generating the packets (packets being displayed as Generated).
If the issue persists, you may want to contact our SonicWall Support to look into this further.