Know more about the disconnection issues that happen between Smart Protection Server and Deep Security.
When Web Reputation Services (WRS) is used and the profile/agents are set to connect to a local Smart Protection Server, users get frequent disconnection alerts in the Deep Security Manager (DSM).
The alerts possible occur because of the following scenarios:
- When there is a temporary communication issue, the alert on the Deep Security Manager remains until it is dismissed by the customer. Having the alert could be misinterpreted as an actual issue even if it is not. When the alert for “Smart Protection disconnected” is raised in DSM, it requires an administrator to clear the warnings/errors as this alert will not dismiss itself. Therefore, even after the server has been reconnected, the alert will remain.
- The setting below is linked closely to the location awareness feature in Deep Security.
- In Deep Security 8.0: When roaming, use Global Smart Protection Service when local Smart Protection Server is not available.
- In Deep Security 9.0: When off domain, connect to global Smart Protection Service. (Windows only)
If you have a machine that is on a domain and you have a local SPS with the abovementioned setting enabled, then DSA will check for the domain controller (using an ICMP ping) at a regular interval. If the domain controller is present, DSA will assume that you are on the domain and will continue to use the local SPS. However, if connection to the domain controller cannot be established, the agent will assume that you are “Off domain” and will switch to using global SPS instead.
If you enabled the option on a machine that is not part of a domain or a machine that cannot ping the domain controller (because of a firewall rule, for example), then that machine will always use the global SPS. Therefore, this option should only be selected for machines that are part of a domain and have the potential to go off domain (i.e. laptops). It is not meant as a failover in case the local Smart Protection Server fails.
Deep Security has a complex design to determine connectivity and to report lost connectivity to/from Smart Protection Server.
- For Anti-malware, Deep Security is dependent on the AMSP component to determine if the Smart Protection Server can be detected. If a file is being scanned, AMSP may try to connect to the Smart Protection Server. If AMSP is unable to connect to SPS, then it raises an internal event that the Deep Security Agent receives and uses to mark the server as suspect.
Deep Security tries to connect to each suspect server (as there may be multiple in the case of local Smart Protection Servers) every five minutes and waits for five seconds for the connection to complete. If DS does not get a connection within five seconds, then it will try again for two more times (total of three tries). If it still cannot connect to any of the servers, it marks the server as disconnected and reports to DSM that the specific SPS is disconnected from Smart Scan.
Deep Security will then try again every five minutes and recheck all those servers marked as disconnected. If the server gets reconnected, then DSA will notify the Deep Security Manager and a Smart Protection Server Connected event will be returned.
- WRS is handled differently because of WRS caching. When a URL is accessed, DSA may attempt to connect to the Smart Protection Server if the URL is not yet cached. If DSA is unable to connect to the server, it will raise an event and report to the Deep Security Manager that the Smart Protection Server is disconnected from Smart Scan for Web Reputation. This event will be generated every five minutes.
For WRS, users can only detect whether the server is down. By default, there is no way to detect once the server is up because of the local and web caching effects. Therefore, there is no “reconnected” event for WRS.
These details hold true in all situations. However, in the case of local Smart Protection Server, when the “When Roaming” check box is selected, the reporting and checking behavior is different.