Threat Prevention

What can I do here?

Use this window to configure a Threat Prevention policy.

Getting Here - Security Policies > Threat Prevention > Policy

The Threat Prevention Policy

The Threat Prevention policy determines how the system inspects connections for bots and viruses. The primary component of the policy is the Rule Base. The rules use the Malware database and network objects.

If you enable Identity Awareness on your gateways, you can also use Access Role objects as the scope in a rule. This lets you easily make rules for individuals or different groups of users.

There are no implied rules in the Rule Base. All traffic is allowed unless it is explicitly blocked.

The columns of a rule define the traffic that it matches and what is done to that traffic.

Predefined Rule - When you enable the IPS or one of the Threat Prevention Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any) is inspected for all protections according to the recommended profile. By default, logs are generated and the rule is installed on all Security Gateways that have the Threat Prevention Blade enabled.
Exception Rule - An exception lets you set a protection or protections to detect or prevent for a specified protected scope. For example, if you want to prevent specified protections for a specific user in a rule with a profile that only detects protections. Another example, if you want to detect all protections in an R and D lab network in a rule with a prevent profile.

Rule Columns

Item	Description
No	The rule number. The sequence is important. The first rule that matches traffic according to a protected scope and profile is applied. For example, if rules 1 and 2 share the same protected scope and a profile in rule 1 is set to detect protections with a medium confidence level and the profile in rule 2 is set to prevent protections with a medium confidence level, then protections with a medium confidence level will be detected based on rule 1.
Name	The name of the rule. Give the rule a descriptive name. A name can include spaces.
Protected Scope	Threat Prevention inspects traffic to and/or from all objects specified in the Protected Scope, even when the specified object did not open the connection. You can set the Protected Scope parameter to Any. This option lets Threat Prevention inspect traffic based on the direction and interface type as defined by the Profile assigned to the applicable rule. By default, the predefined Recommended Rule sets the Protection Scope to Any.
Source	The source of the connection
Destination	The connection's destination
Protection/Site/File/Blade	Shows the protections for the policy. The Threat Prevention policy includes the Anti-Bot, Threat Emulation, and Anti-Virus protections. For Rules, this field is always set to N/A and cannot be changed. Protections for Rule Base rules are defined in the configured profile (in the Action column). For rule exceptions and exception groups, this field can be set to one or more specified protections.
Services	Adds services
Action	Action shows how the traffic is inspected. For Rules, this is defined by the profile. The profile contains the configuration options for different confidence levels and performance impact. For rule exceptions and exception groups, the action can be set to Ask, Prevent, Detect, or Inactive.
Track	Shows if the traffic is logged or triggers various notifications, traps, or alerts. Packet capture allows the packets relevant to the connection to be captured for analysis. The packet capture can be viewed from the event in the Logs & Monitor > Logs view. This can be configured only for rules (not rule exceptions). To configure packet capture, select any tracking action other than None and then select Packet capture.
Install On	Select a gateway for the policy