After you set up Security Connector as a DNS
sinkhole, run a test to verify that suspicious or malicious traffic is directed to the
security connector. In this procedure, test domains are provided to confirm that the
security connector treats them as malicious domains.
How to
-
On a computer that is protected
by ETP, open a browser and navigate to each of the following
domains:
- www.akamaietpphishingtest.com
- www.akamaietpcnctest.com
- www.akamaietpmalwaretest.com
When navigating to these domains, your browser is directed to
the security connector where information about the request and your computer
is recorded. If the browser indicates that the webpage is unavailable, then
you have successfully performed this step.
-
After a few minutes, verify that
events are reported in ETP:
-
In the Enterprise Center
navigation menu, select .
-
On the Threat
Events tab, confirm that each test domain produced an
event. Locate the domain in the grouped events area and review the
associated event.
-
In the Correlation
column, click View. You are directed to a dialog where Security
Connector event information is provided, including the Affected Internal
IP. This is the IP address of the machine that made the request.
Note: Although this step
shows threat events that correspond to Security Connector events,
not all DNS traffic has a corresponding Security Connector event.
This may occur for these reasons:
- DNS
resolutions are cached on the local DNS cache and the
Enterprise DNS Resolver. ETP
reports the first DNS resolution. However, subsequent
requests for the same domain are resolved wherever the
resolution is cached.
- Malware uses
DNS to exfiltrate data and as a result, the domain is
resolved on the attacker's server.
-
Repeat steps 2b and 2c
for the remaining threat events.
Next steps
Add email addresses of administrators or other users within your
organization that you want notified when there is a software upgrade available for
the security connector. See Add email addresses for Security Connector upgrade notifications.