Test the security connector

Before you begin

Make sure you have configured a policy in Enterprise Threat Protector (ETP) to send malicious traffic to the security connector. See Assign security connectors to a policy.

After you set up Security Connector as a DNS sinkhole, run a test to verify that suspicious or malicious traffic is directed to the security connector. In this procedure, test domains are provided to confirm that the security connector treats them as malicious domains.

How to

  1. On a computer that is protected by ETP, open a browser and navigate to each of the following domains:
    • www.akamaietpphishingtest.com
    • www.akamaietpcnctest.com
    • www.akamaietpmalwaretest.com

    When navigating to these domains, your browser is directed to the security connector where information about the request and your computer is recorded. If the browser indicates that the webpage is unavailable, then you have successfully performed this step.

  2. After a few minutes, verify that events are reported in ETP:
    1. In the ETP navigation menu, select Monitoring > Events. Click the Threat Events tab.
      Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Threat Analytics > Events > Threat Events.
    2. On the Threat Events tab, confirm that each test domain produced an event. Locate the domain in the grouped events area and review the associated event.
    3. In the Correlation column, click View. You are directed to a dialog where Security Connector event information is provided, including the Affected Internal IP. This is the IP address of the machine that made the request.
      Note: Although this step shows threat events that correspond to Security Connector events, not all DNS traffic has a corresponding Security Connector event. This may occur for these reasons:
      • DNS resolutions are cached on the local DNS cache and the Enterprise DNS Resolver. ETP reports the first DNS resolution. However, subsequent requests for the same domain are resolved wherever the resolution is cached.
      • Malware uses DNS to exfiltrate data and as a result, the domain is resolved on the attacker's server.
    4. Repeat steps 2b and 2c for the remaining threat events.

Next steps

Add email addresses of administrators or other users within your organization that you want notified when there is a software upgrade available for the security connector. See Add email addresses for Security Connector upgrade notifications