Custom Emulation Connection Handling Mode

What can I do here?

Use this window to configure the handling mode for SMTP and HTTP services.

Getting Here - Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Profiles > Profile > Threat Emulation > Advanced > Custom - configure handling mode depending on the service > Customize

Service Mode Options

Emulation Connection Handling Mode lets you configure Threat Emulation to allow or block a connection while it finishes the analysis of a file. You can also specify a different mode for SMTP and HTTP services.

• Background - The connection is allowed and the file goes to the destination even if the emulation is not finished.
• Hold - A connection that must have emulation is blocked and Threat Emulation holds the file until the emulation is complete. This option can create a time-delay for users to receive emails and files.

  For configurations that use Hold mode for SMTP traffic, we recommend that you an MTA deployment.

Using an MTA

You can enable the Security Gateway as an MTA (Mail Transfer Agent) to manage the emulation of SMTP traffic. It is possible that during file emulation, the email server cannot keep the connection open for the time that is necessary for full emulation. When this happens, there is a timeout for the email. A Threat Emulation deployment with an MTA avoids this problem, the MTA completes and closes the connection with the source email server and then sends the file for emulation. After the emulation is complete, the MTA sends the email to the mail server in the internal network.

• For topologies that use TLS between the Security Gateway and the mail server, Threat Emulation must use an MTA to decrypt emails for emulation.
• When Threat Emulation identifies that an email attachment is malicious, the MTA removes the attachment and sends the safe email.
• We recommend that you use an MTA for Threat Emulation profile settings that block SMTP traffic. Without an MTA, it is possible that safe emails are dropped and do not reach the computers in the internal network.

To use the Security Gateway as an MTA:

1. Enable the Security Gateway as an MTA.
2. Configure the network to forward emails to the MTA.