Traps protects data center endpoints such as servers and VMs against malware and exploits on the endpoint itself, while the next-generation firewall protects against threats that cross the network (and therefore must traverse the firewall) to reach the endpoint. When malware or exploits are already on an endpoint or get onto an endpoint, if the endpoint executes the threat (for example, through an .exe or .dll file), the firewall doesn’t see the threat because the action is on the endpoint and no traffic crosses the firewall, so there’s nothing for the firewall to see. However, on each endpoint, Traps sees threats in executables, macros in documents, dynamic-link library files, and more. When these threats attempt to run, Traps goes into action on the endpoint itself and protects the endpoint.

Traps and the next-generation firewall provide a double layer of protection to data center endpoints so that the firewall protects endpoints from threats on the network while Traps monitors and protects endpoints against threats that reside on the endpoint. The security policy you configure for endpoints on an Endpoint Security Manager (ESM) and the security policy you configure on Panorama or on the firewall don’t conflict because they govern different events at different locations. Traps controls security within each individual endpoint. The firewall controls security of traffic that traverses the firewall.

Install Traps on every data center endpoint. The best practices for Traps in the data center are the same as the best practices for Traps on any endpoint because the context for Traps is always the endpoint itself, so the context “in the data center” or “in a user group” doesn’t matter—Traps protects all endpoints the same way. So the recommended traps deployment process, the malware protection policy best practices, etc., are the same for the data center as for any other area of the network.