Cylance Protect continuously pulls information from Cylance's cloud-based servers, and it sends file fragments to Cyalnce for analysis. This can increase CPU utilization, the number of connections, and bandwidth utilization on your ProxySG appliance.
Cylance Protect uses at least one persistent connection per client, in some cases two connections per client.
Cylance uses AWS cloud to deliver updates, so by default the destination IP addresses are dynamic and cannot be easily predicted in order to identify traffic going to Cylance Protect servers.
If requested, Cylance can provide your organization with static IP addresses for their update servers so clients can be allowed out to update to these destination IP addresses only. This is however not ideal and may pose a security risk.
Disabling SSL interception and adding a 'do not cache' rule for the domains used by Cyclance Protect should minimize the impact of Cylance Protect traffic. See the following links for policy details: