Web and Files Protection

URL Filtering

URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. rules define which sites can be accessed from within your organization.

To set the URL Filtering mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

  3. In the Web & Files Protection tab, under URL Filtering, select a mode:

    • Prevent - The request to enter a site is suspended until a verdict regarding the site is received. Access to the site is blocked if site matches one of the blocked categories or the blacklisting.

      • Allows user to dismiss the URL Filtering alert and access the website.

      • This option is selected by default. It provides the user with access to a blocked site if the end user believes the verdict is unjustified. This option can also be turned off through the Advanced Settings section.

    • Detect - Allows an access if a site is determined as malicious, but logs the traffic.

    • Off - URL Filtering is turned off.

  4. For Advanced Settings, see URL Filtering.

Download Protection

Download Protection rules protects users from malicious content.

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule.

  3. In the Web & Files Protection tab, under Download Protection, select a mode:

  4. For Advanced Settings, see Download Protection.

Credential Protection

Zero Phishing

Phishing prevention checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.

To set the Zero Phishing mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule.

  3. In the Web & Files Protection tab, under Zero Phishing, select a mode:

    • Prevent - If site is scanned and found to be malicious, access to it is blocked and log of the incident is shown in the Harmony Browse web management log section.

    • Detect - An incident log is sent but access to the site is not be blocked. Also, the site scan is silent (invisible to the user).

    • OFF – Turns off the feature.

  4. For Advanced Settings, see Credential Protection.

Password Reuse Protection

Alerts users not to use their corporate password in non-corporate domains.

To set the Password Reuse mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule.

  3. In the Web & Files Protection tab, under Password Reuse, select a mode:

    • Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.

    • Detect mode - The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.

    • Off - Turns off password reuse protection.

  4. For Advanced Settings, see Credential Protection.

Safe Search

Search Reputation

Search Reputation is a feature added to search engines that classifies search results based on URL's reputation.

Notes:

  • It is supported only with Google, Bing, and Yahoo search engines.

  • To enable this feature, ensure that you set URL Filtering Mode to either Prevent or Detect.

To set the Search Reputation mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule.

  3. In the Web & Files Protection tab, under Search Reputation, select a mode:

    • On - Turns on the feature.

    • Off -Turns off the feature.

When you enable this feature, the icon across the URL in the search results indicate the classification:

Icon

Classification

The website is safe.

Example:

The website is not safe.

Example:

The website is blocked by the Administrator.

Example:

Note - If the Search Reputation cannot classify a URL, then it does not display an icon across the URL. If you want such URLs to be classified and blocked, then enable the Uncategorized checkbox in URL Filtering > Categories > General Use. The Search Reputation classifies Uncategorized URLs as The website is blocked by the Administrator.

Force Safe Search

Force Safe Search is a feature in search engines that acts as an automated filter for potentially offensive and inappropriate content.

To set the Force Search Reputation mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule.

  3. In the Web & Files Protection tab, under Force Safe Search, select a mode:

    • On - Hides explicit content from the search results.

    • Off - User sees the most relevant results for their search, which may include explicit content like images consisting of violence.

Main features:

  • When ‘Force Safe Search’ is on, Harmony Browse turns on Safe Search on the supported search engines.

  • It is supported with Google, Bing, and Yahoo search engines.

  • Force Safe Search is off by default.

  • Force Safe Search is supported with Google Chrome, and Microsoft Edge browsers.

Advanced Settings

URL Filtering

Note - You must set the URL Filtering Mode to Prevent or Detect to set the Advanced Settings.

Allow user to dismiss the URL Filtering alert and access the website – Allows user to bypass URL filtering and access the website.

Categories

Harmony Browse categorizes websites and you can specify the categories that must be blocked for the user. When you select a category, the URL Filtering rule applies to all sites in the selected category.

To specify the categories to block:

  1. Under Categories, select the category. For example, Bandwidth Consumption.

  2. Click Show and then select the sub-category.

Black List

You can specify specific URLs, domains or IP addresses you want to block.

To black list a domain or IP address, click Show and add the URL, domain or IP address.

Notes:

  • You can add the domain names manually or upload a CSV file with the domain names you want to include in the blacklist.

  • You can use * and ? as wildcards for blacklisting.

    • * is supported with any string. For example: A* can be ADomain or AB or AAAA.

    • ? is supported with another character. For example, A? can be AA or AB or Ab.

  • You can export your blacklist.

  • If you wish to completely block the domain www.test-domain.com, including its sub-domains (sub1.test-domain.com, sub2.test-domain.com, etc’) and it is a naked domain (test-domain.com, without the www), you need to add two values to the block list:

    • *.test_domain.com

    • test_domain.com

Malicious Script Protection

Malicious Script Protection scans Uncategorized websites for embedded malicious JavaScripts. If the domain that hosts the script belongs to any one of these categories, then the page is blocked and the event is logged.

  • Anonymizer

  • Botnets

  • Critical Risk

  • High Risk

  • Medium Risk

  • Phishing

  • Spam

  • Spyware

  • Malicious Sites

  • Suspicious Content

Note - Ensure that you set URL Filtering Mode to either Prevent or Detect.If it is set to Prevent, the page is blocked and the event is logged. If it is set to Detect, the page is not blocked and the event is logged.

To specify malicious script protection:

  • To enable malicious script protection, select Block websites where Malicious Scripts are found embedded in the HTML.

  • To allow users to dismiss the malicious script security alert and access the website, select Allow user to dismiss the Malicious Scripts alert and access the website.

Download Protection

Note - You must set the Download Emulation & Extraction to Prevent or Detect to set the Advanced Settings.

Harmony Browse protects against malicious files that you download to your Endpoint. By default, it sends the files for extraction and emulation to Check Point's Threat Emulation on the cloud before they are downloaded to the Endpoint disk. You can also configure Harmony Browse with Threat Emulation on-premise. For more information, see sk113599.

Supported Files

The supported file types for Threat Emulation are:

Threat Emulation Supported File Types

7z lnk tbz2
arj pif tbz
bz2 pdf tb2
bat ppt tgz
CAB pptx udf
csv pps uue
com pptm wim
cpl potx xlt
dll potm xls
doc ppam xlsx
docx ppsx xlm
dot ppsm xltx
dotx ps1 xlsm
dotm rar xltm
docm rtf xlsb
exe scr xla
gz sldx xlam
hwp sldm xll
iso slk xlw
iqy swf xz
jar tar zip

The supported file types for Threat Extraction are:

Threat Extraction Supported File Types

doc

potm

pptx

docm

potx

xls

docx

ppa

xlsb

dot

ppam

xlsm

dotm

pps

xlsx

dotx

ppsm

xlt

fdf

ppsx

xltm

pdf

ppt

xltx

pot

pptm

xlam

Note - Ignore the files types listed in the Harmony BrowseAdministrator Portal.

The options available for supported file types are Threat Extraction are:

  • Get extracted copy before emulation completes

    • Extract potential malicious elements - While a file is tested, receive a copy of the file with all suspicious parts removed. Files that support extraction are available for download after the extraction. Files that do not support extraction are available for download only after the emulation and if it is benign.

    • Covert to PDF - For receive the file in a PDF format. If the file is not malicious, users receive the original file when the emulation is finished. Emulation can take up to two minutes.

  • Suspend download until emulation completes – The original file is downloaded if found to be clean.

  • Emulate original file without suspending access - Emulates original file without suspending access to the file and logs the incident. If the file is malicious, it is blocked.

  • AllowThreat Emulation and Threat Extraction is turned off.

Unsupported Files

The options available for unsupported files types are:

  • Allow Download - Allows user to access the file.

  • Block Download - Blocks user from accessing the file.

Emulation Environments

You can specify the size limit for files that must be sent for Threat Emulation. Files larger than the specified limit are not sent to Threat Emulation.

Upload and emulate files under – Specify the file size limit for Threat Emulation. The default file size limit is 15 MB. The maximum file size limit supported is 50 MB.

Override Default File Actions

Harmony Browse allows you to override the default action for a file type.

To override a file action, click Edit and select the File action and Extraction Mode.

Credential Protection

Note - You must set the Zero Phishing and Password Reuse to Prevent or Detect to set the Advanced Settings.

User can select any of these settings under Zero Phishing:

  • Allow user to dismiss the phishing alert and access the website - It allows the user to dismiss the blocking page and continue to enter the corporate password.

  • Send log on each scanned site

  • Allow user to abort phishing scans

  • Scan local HTML files - By default, the Harmony Browse extension in Chromium-based browsers (Chrome, Microsoft Edge, and Brave) cannot access the local HTML files opened by the browser to scan them for phishing attacks. This setting prompts users to grant permission to Chromium-based browsers to access and scan local HTML files on your PC.

    Notes:

    • You can customize the prompt page. For more information, see Configuring Client Settings Policy

    • This feature is not supported with Safari and Internet Explorer browser extensions.

User can select any of these settings under Password Reuse Protection:

  • To protect a domain, click Edit and enter the domain name or IP address.

  • You can also select Allow users to dismiss the password reuse alert and access the website setting.

Browser Settings

Starting from the Harmony Browse Client version BROWSE_90.09.0001 and higher, the extension is pinned to the browser by default for users.

To allow users to unpin the browser extension, clear Always pin the browser extension to the tool bar under Pin Extension.

The user must re-login by locking and unlocking the endpoint and either restart the browser or wait for 15 minutes for the changes to reflect. This is not applicable to endpoints with the Harmony Endpoint Security client installed as the browser extension is pinned automatically through the policy update.

Note - You can unpin the extension only on Chromium browsers, such as Chrome, Edge and Brave. You cannot unpin an extension in Firefox.