I have been working through the quick start instructions for configuring Sky ATP (free tier). I have used the following for reference:
Whilst articles 1 and 2 are essentially the same, 3 does differ. I have tried to reconcile the example configurations and have come up with the following:
set services advanced-anti-malware policy aamw_policy verdict-threshold recommended set services advanced-anti-malware policy aamw_policy http action permit notification log set services advanced-anti-malware policy aamw_policy http inspection-profile default_profile set services security-intelligence profile secintel_profile category Infected-Hosts set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10 set services security-intelligence profile secintel_profile rule secintel_rule then action block drop set services security-intelligence policy secintel_policy Infected-Hosts secintel_profile set security policies from-zone Trust to-zone Untrust policy 1 match source-address any set security policies from-zone Trust to-zone Untrust policy 1 match destination-address any set security policies from-zone Trust to-zone Untrust policy 1 match application any set security policies from-zone Trust to-zone Untrust policy 1 then permit application-services advanced-anti-malware-policy aamw_policy set security policies from-zone Trust to-zone Untrust policy 1 then permit application-services security-intelligence-policy secintel_policy
One line i.e. set services security-intelligence profile secintel_profile rule secintel_rule then action block drop is different to the other 2 articles, which lists the action as permit i.e. the exact opposite. Which one is it?
Apart from the difference highlighted above, how does this config look for people who have been through this pain already?