Configuring Browser Security Policy

The Browser Security policy contains these components:

• Access Control - defines which websites, applications, categories, and GenAI websites users are permitted to access. See Configuring Access Control Policy.

• Secure Browsing - protects users from web based threats by inspecting browser activity and enforcing protections such as phishing prevention and password reuse protection. See Secure Browsing Policy.

• Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) - protects sensitive data from exposure by monitoring and controlling data actions in the browser. See DLP Policy.

Before you configure a security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., think about the security of your network and convenience for your users. A policy should permit users to work as freely as possible, but also reduce the threat of attack from malicious third parties.

You can add more rules to each Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. and edit rules as necessary. Changes are enforced after the policy is installed.

Policy Model and Evaluation Logic

Policies define how Browser Security capabilities enforce actions when conditions are met. Each policy consists of a set of ordered rules, each evaluated independently within its capability.

Rule Structure

All Browser Security policies share a consistent rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. structure. Each field defines a specific aspect of how and when a rule is enforced.

• Source - Defines who the rule applies to.

  Available options:

  • Selected Users/groups

  • Entire organization

• Destination - Defines where the rule is applied.

  Available options:

  • Any destination

  • GenAI platform

  • Selected application

  • Specific Destination - URL, domain, category, or profile

• Action - Defines what enforcement action is taken when the rules are met.

  Available options:

  • Block

  • Allow

  • Ask

• Logging - Defines whether events generated by this rule are saved and displayed in the Events view.

  Available options:

  • Enabled - Events generated by this rule are logged.

  • Disabled - Events generated by this rule are not logged.

• Status - Defines whether the rule is currently enforced.

  Available options:

  • Active

  • Inactive

Evaluation Behavior

Rules are evaluated top-down in priority order. The first rule that matches the incoming request is applied; if no rule matches, the default behavior takes effect.

Matching can be based on three dimensions:

• Source

• Destination

• Context (such as event type or data type).

Each capability uses only the dimensions relevant to its scope.

Default Behavior by Capability

• Access Control

  Default behavior: Allow

  If no rule matches, access to the destination is allowed.

• Secure Browsing

  Default behavior: No Secure Browsing enforcement

  If no rule matches, Secure Browsing protections are not applied.

• Data Loss Prevention (DLP)

  Default behavior: Allow

  If no rule matches, the data action is allowed.