Configuring the Threat Prevention Policy

Note - For Managed Security Service Providers (MSSP), Harmony Endpoint allows you to create Threat Prevention policy templates and attach them to the child accounts. For more information, see Templates for Child Accounts.

Unified Policy

Harmony Endpoint introduces the unified policy for the Endpoint components.

The unified policy lets you control all security components in a single policy. The policy is composed of a set of rules. Each ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the policy defines the scope which the rule applies to and the activated components. This is different from the policy Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. in SmartEndpointClosed A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies., where each component has its own set of rules.

A Default Policy rule which applies to the entire organization is predefined in your Policy tab..

Each new rule you create, has pre-defined settings, which you can then edit in the right section of the screen.

The Threat Prevention policy contains these capabilities which you can edit:

  • Web & Files Protection

  • Behavioral Protection

  • Analysis & Response

The Threat Prevention policy contains device rules and user rules.

  • You can use user objects only in the user policy, and you can use device objects only in the device policy.

  • There is no default rule for the user policy.

  • User rules override device rules.

  • You can use the same group in user and device rules at the same time.

  • If a group contains both users and devices, the rule is implemented according to the policy in which the rule is included.

To enable user policy, go to the Endpoint Settings view > Policy Operation Mode, and select Mixed mode.

Parts of the Policy Rule Base

Column Description

Rule Number

The sequence of the rules is important because the first rule that matches traffic according to the protected scope is applied.

Rule Name

Give the rule a descriptive name.

Applied to

The protected scope, to which the rule applies.

Mode

The policy mode applicable to the rule.

Web & Files Protection

The configurations that apply to Download Protection, Credential Protection and Files Protection.

Behavioral Protection

The configurations apply to Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Ransomware and Anti-Exploit protections.

Analysis & Response

The configurations that apply to attack analysis and Remediation.

Client Version

Version number of the Initial Client that you downloaded.

Threat Prevention Policy Toolbar

To do this Click this

Clone, copy, paste, and delete rules

Search

Save, view, and discard changes

Note - The View Changes functionality shows the policy type that was changed and the date of the change.

Policy Mode

Policy mode allows you to:

  • Quickly configure a Threat Prevention policy by selecting a predefined policy mode (Detect only, Tuning and Optimized). Check Point automatically sets the appropriate operation mode (Detect, Prevent, Off) and Advanced Settings options for each capability.

  • Manually set the operation mode (Detect, Prevent, Off) and Advanced Settings options for each capability (Custom).

Notes:

  • The Detect only mode provides the basic protection. We recommend that you use the Detect only policy mode for the first few days to gather, monitor and analyze the data. Based on the analysis, you must switch to Tuning, Optimized or configure a Custom policy mode for enhanced protection. If you use the Detect only policy mode for the Default settings for the entire organization rule (default) for more than two days, the system shows a banner as a reminder to configure a stricter policy mode.

    If you click Dismiss, the system stops the notification only for you while it continues to appears for other users.

  • If you modify a predefined policy mode, it automatically changes to Custom.

To select a mode for a policy:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the policy in the table.

  3. In the Capabilities and Exclusion pane, from the Policy Mode list:

    • Select a predefined mode:

      • Detect only

      • Tuning

      • Optimized

      The table shows the appropriate operation mode set for each capability for a policy mode.

      Capability

      Policy Mode

      Tuning

      Detect only

      Optimized

      URL Filtering

      Detect

      Detect

      Prevent

      Download

      Protection

      Detect

      Detect

      Prevent

      Zero Phishing

      Detect

      Detect

      Prevent

      Password

      Reuse

      Detect

      Detect

      Prevent

      Search

      Reputation

      Off

      Off

      On

      Force

      Safe

      Search

      Off

      Off

      On

      Advanced Settings

      URL Filtering

      Allow user to dismiss the URL Filtering alert and access the website is disabled.

      Under Categories, Service is selected.

      Under Malicious Script Protection:

      • Block websites where Malicious Scripts are found embedded in the HTML is selected.

      • Allow user to dismiss the Malicious Scripts alert and access the website is disabled.

      Allow user to dismiss the URL Filtering alert and access the website is selected.

      Under Categories, Service is selected.

      Under Malicious Script Protection:

      • Block websites where Malicious Scripts are found embedded in the HTML is selected.

      • Allow user to dismiss the Malicious Scripts alert and access the website is selected.

      Download Protection

      Under Supported files, Emulate original file without suspending access is selected.

      Under Unsupported files, Allow Download is selected.

      Under Supported files:

      • Get extracted copy before emulation completes is selected.

      • Extract potential malicious elements is selected.

      Under Unsupported files, Allow Download is selected.

      Credential Protection

      Under Zero Protection, Allow user to dismiss the phishing alert and access the website is disabled.

      Under Password Reuse, Allow users to dismiss the password reuse alert and access the website is disabled.

      Under Zero Protection, Allow user to dismiss the phishing alert and access the website is selected.

      Under Password Reuse, Allow users to dismiss the password reuse alert and access the website is selected.

    • Select Custom and set the operation mode manually. For more information, see Web and Files Protection.

  4. Click Save.

  5. Click Save & Install.

Updating a Predefined Policy Mode

Based on internal analysis and research, Check Point may suitably modify the operation mode or Advanced Settings of a predefined policy mode. If a predefined mode is updated, a notification appears.

  • Click Align to accept the updates. The system automatically updates to the new settings for the predefined mode.

  • Click Keep to retain the current settings. The policy mode changes to Custom.