Web and Files Protection

URL Filtering

URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. rules define which sites can be accessed from within your organization.

To set the URL Filtering mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

3. In the Web & Files Protection tab, under URL Filtering, select a mode:

   • Prevent - The request to enter a site is suspended until a verdict regarding the site is received. Access to the site is blocked if site matches one of the blocked categories or the blacklisting.

     • Allows user to dismiss the URL Filtering alert and access the website.

     • This option is selected by default. It provides the user with access to a blocked site if the end user believes the verdict is unjustified. This option can also be turned off through the Advanced Settings section.

   • Detect - Allows an access if a site is determined as malicious, but logs the traffic.

   • Off - URL Filtering is turned off.

4. For Advanced Settings, see URL Filtering.

Download Protection

Download Protection rules protects users from malicious content.

To set the Download Emulation & Extraction mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule.

3. In the Web & Files Protection tab, under Download Protection, select a mode:

   • Prevent - Prevents the download if the file is either known to be malicious or detected as malicious by the Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE..

   • Detect - Emulates original file without suspending access to the file and logs the incident. The file is blocked if it is malicious or blocked by file extension (Advanced Settings > Download Protection). If not, the file is downloaded before the emulation is complete.

   • Off - Downloads the file without protection.

4. For Advanced Settings, see Download Protection.

Credential Protection

Zero Phishing

Phishing prevention checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.

To set the Zero Phishing mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule.

3. In the Web & Files Protection tab, under Zero Phishing, select a mode:

   • Prevent - If site is scanned and found to be malicious, access to it is blocked and log of the incident is shown in the Harmony Browse web management log section.

   • Detect - An incident log is sent but access to the site is not be blocked. Also, the site scan is silent (invisible to the user).

   • OFF – Turns off the feature.

4. For Advanced Settings, see Credential Protection.

Password Reuse Protection

Alerts users not to use their corporate password in non-corporate domains.

To set the Password Reuse mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule.

3. In the Web & Files Protection tab, under Password Reuse, select a mode:

   • Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.

   • Detect mode - The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.

   • Off - Turns off password reuse protection.

4. For Advanced Settings, see Credential Protection.

Safe Search

Search Reputation

Search Reputation is a feature added to search engines that classifies search results based on URL's reputation.

Notes: It is supported only with Google, Bing, and Yahoo search engines. To enable this feature, ensure that you set URL Filtering Mode to either Prevent or Detect.

To set the Search Reputation mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule.

3. In the Web & Files Protection tab, under Search Reputation, select a mode:

   • On - Turns on the feature.

   • Off -Turns off the feature.

When you enable this feature, the icon across the URL in the search results indicate the classification:

Icon	Classification
	The website is safe. Example:
	The website is not safe. Example:
	The website is blocked by the Administrator. Example:

Note - If the Search Reputation cannot classify a URL, then it does not display an icon across the URL. If you want such URLs to be classified and blocked, then enable the Uncategorized checkbox in URL Filtering > Categories > General Use. The Search Reputation classifies Uncategorized URLs as The website is blocked by the Administrator.

Force Safe Search

Force Safe Search is a feature in search engines that acts as an automated filter for potentially offensive and inappropriate content.

To set the Force Search Reputation mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule.

3. In the Web & Files Protection tab, under Force Safe Search, select a mode:

   • On - Hides explicit content from the search results.

   • Off - User sees the most relevant results for their search, which may include explicit content like images consisting of violence.

Advanced Settings

URL Filtering

Note - You must set the URL Filtering Mode to Prevent or Detect to set the Advanced Settings.

Allow user to dismiss the URL Filtering alert and access the website – Allows user to bypass URL filtering and access the website.

Categories

Harmony Browse categorizes websites and you can specify the categories that must be blocked for the user. When you select a category, the URL Filtering rule applies to all sites in the selected category.

To specify the categories to block:

1. Under Categories, select the category. For example, Bandwidth Consumption.

2. Click Show and then select the sub-category.

Black List

You can specify specific URLs, domains or IP addresses you want to block.

To black list a domain or IP address, click Show and add the URL, domain or IP address.

Notes: You can add the domain names manually or upload a CSV file with the domain names you want to include in the blacklist. You can use * and ? as wildcards for blacklisting. * is supported with any string. For example: A* can be ADomain or AB or AAAA. ? is supported with another character. For example, A? can be AA or AB or Ab. You can export your blacklist. If you wish to completely block the domain www.test-domain.com, including its sub-domains (sub1.test-domain.com, sub2.test-domain.com, etc’) and it is a naked domain (test-domain.com, without the www), you need to add two values to the block list: *.test_domain.com test_domain.com

Malicious Script Protection

Malicious Script Protection scans Uncategorized websites for embedded malicious JavaScripts. If the domain that hosts the script belongs to any one of these categories, then the page is blocked and the event is logged.

• Anonymizer

• Botnets

• Critical Risk

• High Risk

• Medium Risk

• Phishing

• Spam

• Spyware

• Malicious Sites

• Suspicious Content

Note - Ensure that you set URL Filtering Mode to either Prevent or Detect.If it is set to Prevent, the page is blocked and the event is logged. If it is set to Detect, the page is not blocked and the event is logged.

To specify malicious script protection:

• To enable malicious script protection, select Block websites where Malicious Scripts are found embedded in the HTML.

• To allow users to dismiss the malicious script security alert and access the website, select Allow user to dismiss the Malicious Scripts alert and access the website.

Download Protection

Note - You must set the Download Emulation & Extraction to Prevent or Detect to set the Advanced Settings.

Harmony Browse protects against malicious files that you download to your Endpoint. By default, it sends the files for extraction and emulation to Check Point's Threat Emulation on the cloud before they are downloaded to the Endpoint disk. You can also configure Harmony Browse with Threat Emulation on-premise. For more information, see sk113599.

• Threat Emulation: Detects zero-day and unknown attacks. Files are sent to sandbox for emulation to detect evasive zero-day attacks.

• Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.: Proactively protects users from malicious content. It quickly delivers safe files while the original files are inspected for potential threats.

Supported Files

The supported file types for Threat Emulation are:

Threat Emulation Supported File Types
7z	lnk	tbz2
arj	pif	tbz
bz2	pdf	tb2
bat	ppt	tgz
CAB	pptx	udf
csv	pps	uue
com	pptm	wim
cpl	potx	xlt
dll	potm	xls
doc	ppam	xlsx
docx	ppsx	xlm
dot	ppsm	xltx
dotx	ps1	xlsm
dotm	rar	xltm
docm	rtf	xlsb
exe	scr	xla
gz	sldx	xlam
hwp	sldm	xll
iso	slk	xlw
iqy	swf	xz
jar	tar	zip

The supported file types for Threat Extraction are:

Threat Extraction Supported File Types
doc	potm	pptx
docm	potx	xls
docx	ppa	xlsb
dot	ppam	xlsm
dotm	pps	xlsx
dotx	ppsm	xlt
fdf	ppsx	xltm
pdf	ppt	xltx
pot	pptm	xlam

Note - Ignore the files types listed in the Harmony BrowseAdministrator Portal.

The options available for supported file types are Threat Extraction are:

• Get extracted copy before emulation completes

  • Extract potential malicious elements - While a file is tested, receive a copy of the file with all suspicious parts removed. Files that support extraction are available for download after the extraction. Files that do not support extraction are available for download only after the emulation and if it is benign.

  • Covert to PDF - For receive the file in a PDF format. If the file is not malicious, users receive the original file when the emulation is finished. Emulation can take up to two minutes.

• Suspend download until emulation completes – The original file is downloaded if found to be clean.

• Emulate original file without suspending access - Emulates original file without suspending access to the file and logs the incident. If the file is malicious, it is blocked.

• Allow – Threat Emulation and Threat Extraction is turned off.

Unsupported Files

The options available for unsupported files types are:

• Allow Download - Allows user to access the file.

• Block Download - Blocks user from accessing the file.

Emulation Environments

You can specify the size limit for files that must be sent for Threat Emulation. Files larger than the specified limit are not sent to Threat Emulation.

Upload and emulate files under – Specify the file size limit for Threat Emulation. The default file size limit is 15 MB. The maximum file size limit supported is 50 MB.

Override Default File Actions

Harmony Browse allows you to override the default action for a file type.

To override a file action, click Edit and select the File action and Extraction Mode.

Credential Protection

Note - You must set the Zero Phishing and Password Reuse to Prevent or Detect to set the Advanced Settings.

User can select any of these settings under Zero Phishing:

• Allow user to dismiss the phishing alert and access the website - It allows the user to dismiss the blocking page and continue to enter the corporate password.

• Send log on each scanned site

• Allow user to abort phishing scans

• Scan local HTML files - By default, the Harmony Browse extension in Chromium-based browsers (Chrome, Microsoft Edge, and Brave) cannot access the local HTML files opened by the browser to scan them for phishing attacks. This setting prompts users to grant permission to Chromium-based browsers to access and scan local HTML files on your PC.

  Notes: You can customize the prompt page. For more information, see Configuring Client Settings Policy This feature is not supported with Safari and Internet Explorer browser extensions.

User can select any of these settings under Password Reuse Protection:

• To protect a domain, click Edit and enter the domain name or IP address.

• You can also select Allow users to dismiss the password reuse alert and access the website setting.

Browser Settings

Starting from the Harmony Browse Client version BROWSE_90.09.0001 and higher, the extension is pinned to the browser by default for users.

To allow users to unpin the browser extension, clear Always pin the browser extension to the tool bar under Pin Extension.

The user must re-login by locking and unlocking the endpoint and either restart the browser or wait for 15 minutes for the changes to reflect. This is not applicable to endpoints with the Harmony Endpoint Security client installed as the browser extension is pinned automatically through the policy update.

Note - You can unpin the extension only on Chromium browsers, such as Chrome, Edge and Brave. You cannot unpin an extension in Firefox.