Getting Started with Anti-Bot
Enabling the Anti-Bot Software Blade
Enable the Anti-Bot Software Blade on a Security Gateway.
To enable the Anti-Bot Software Blade:
- In SmartDashboard, right-click the gateway object and select .
The window opens.
- In tab, select .
The window opens.
- Select one of the activation mode options:
- - Enable the Anti-Bot Software Blade and use the Anti-Bot settings of the Threat Prevention profile in the Threat Prevention policy.
- - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
- Click .
- Install the Threat Prevention policy.
Creating an Anti-Bot Policy
Create and manage the policy for the Anti-Bot Software Blade in the Threat Prevention tab of SmartDashboard. The policy shows the profiles set for network objects or locations defined as a protected scope.
- The pane shows a high-level summary of your Anti-Bot activity and traffic.
- The pane shows the rules and exceptions for the Anti-Bot policy. Click the button to get started.
- To learn about bots and protections, look through the Threat Wiki.
Creating Rules
Here are examples of how to create different types of Anti-Bot rules.
Blocking Bots
Scenario: I want to block bots in my organization. How can I do this?
To block bots in your organization:
- In the page, select the Software Blade.
The First Time window opens.
- Select and click .
- Select > .
- Click .
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
- Make a rule that includes these components:
- - Give the rule a name such as .
- The list of network objects you want to protect. In this example, the network object is used.
- The Profile that contains the protection settings you want. The default profile is .
- The type of log you want to get when detecting malware on this scope. In this example, keep and also select to capture the packets of malicious activity. In SmartView Tracker, you will then be able to view the actual packets.
- - Keep it as or choose specified gateways to install the rule on.
- Install the Threat Prevention policy.
Monitoring Bot Activity
Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?
To monitor all bot activity:
- In the tab of SmartDashboard, open the pane.
- Click one of the toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
- Give the rule a name, such as .
- In , do not change from . The rule applies to all traffic in the organization.
- Right-click in the cell and select .
- In the window, set all confidence level settings to .
- Set to .
This profile will detect attacks with low, medium or high confidence and have a medium or lower performance impact.
- Name the profile.
- Click .
Name
|
Protected Scope
|
Protection
|
Action
|
Track
|
Monitor Bot Activity
|
Any
|
- n/a
|
NewProfile
|
Log
|
Disabling a Protection on a Specified Server
Scenario: The protection Backdoor.Win32.Agent.AH detects malware on a server (Server_1). How can I disable this protection for this server only?
To add an exception to a rule:
- In the tab of SmartDashboard, open the pane.
- Click the rule that contains the scope of Server_1.
- Click the toolbar button to add the exception under the rule. The first exception matched is applied.
- Make a rule exception that includes these components:
- - Give the exception a name such as .
- Change it to so that it applies to all detections on the server.
- - Click in the cell to open the window.
- Select items to exclude:
- Click .
- In the rule, leave defaults for (), (), and ().
Name
|
Protected Scope
|
Protection
|
Action
|
Track
|
Exclude
|
Server_1
|
Backdoor.Win32.Agent.AH
|
Detect
|
Log
|
Installing the Policy
The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.
You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.
To install the Anti-Bot and Anti-Virus policy:
- From the tab > pane, click .
- Select the relevant options:
- Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
- - Select the applicable Security Gateways.
- - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
- - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
- Click .
|
|