On the Advanced Threat Protection > Global tab, you can activate the Advanced Threat Protection System of Sophos UTM.

To enable Advanced Threat Protection, proceed as follows:

  1. Enable the Advanced Threat Protection system.

    Click the toggle switch.

    The toggle switch turns amber and the Global Settings area becomes editable.

  2. Specify the following settings:

    Policy: Select the security policy that the Advanced Threat Protection system should use if a threat has been detected.

    • Drop: The data packet will be logged and dropped.
    • Alert: The data packet will be logged.

    Network/host exceptions: Add or select the source networks or hosts that should be exempt from being scanned for threats by Advanced Threat Protection. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.

    Threat exceptions: Add destination IP addresses or domain names that you want to skip from being scanned for threats by Advanced Threat Protection. This is the place where you would add false positives to prevent them from being detected as threat. Examples: or Add exact strings for ATP to match. Example: will allow while will still be blocked.

    Caution – Be careful with specifying exceptions. By excluding sources or destinations you may expose your network to severe risks.

  3. Click Apply.

    Your settings will be saved.

    The switch turns green.

If enabled, and a threat is detected, it will be listed on the Network Protection page. A notification will be sent to the administrator if enabled on the Management > Notifications > Notifications page. The notification is set by default for drop and alert.

Cross Reference – Find information about configuring Advanced Threat Protection in the Sophos Knowledge Base.

Live Log

The Advanced Threat Protection live log can be used to monitor the detected threats. Click the button to open the live log in a new window.

Note – IPS and Web Proxy threats will not be displayed in the Live Log.