Print Download Documentation Send Feedback

Previous

Next

Anti-Bot

What can I do here?

Use this window to configure UserCheck settings and suspicious mail detection settings for Anti-bot.

Getting Here

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Profiles > Profile > Anti-bot

Configuring Anti-Bot Settings

To configure the Anti-Bot settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click Anti-Bot.
  5. Configure the Anti-Bot UserCheck Settings:
    • Prevent - Select the UserCheck message that opens for a Prevent action
    • Ask - Select the UserCheck message that opens for an Ask action
  6. Click OK and Install Policy.
Blocking Bots

To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.

Protected Scope

Action

Track

Install On

*Any

Optimized

Log

Packet Capture

*Policy Targets

To block bots in your organization:

  1. In SmartConsole, click Gateways & Servers.
  2. Enable the Anti-Bot Software Blade on the Gateways that protect your organization. For each Gateway:
    1. Double-click the Gateway object.
    2. In the Gateway Properties page, select the Anti-Bot Software Blade.

      The First Time Activation window opens.

    3. Select According to the Anti-Bot and Anti-Virus policy
    4. Click OK.
  3. Click Security Policies > Threat Prevention > Policy > Threat Prevention.

    You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile.

    Alternatively, add a new Threat Prevention rule:

    1. Click Add Rule.

      A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

    2. Make a rule that includes these components:
      • Name - Give the rule a name such as Block Bot Activity.
      • Protected Scope - The list of network objects you want to protect. By default, the Any network object is used.
      • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
      • Track - The type of log you want to get when the gateway detects malware on this scope.
      • Install On - Keep it as Policy Targets or select Gateways to install the rule on.
  4. Install the Threat Prevention policy.
Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Action

Track

Install On

Monitor Bot activity

*Any

A profile that has these changes relative to the Optimized profile:

Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect.

Log

*Policy Targets

To monitor all bot activity:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. Create a new profile:
    1. From the Threat Tools section, click Profiles.

      The Profiles page opens.

    2. Right-click a profile and select Clone.
    3. Give the profile a name such as Monitoring_Profile.
    4. Edit the profile, and under Activation Mode, configure all confidence level settings to Detect.
    5. Select the Performance Impact - for example, Medium or lower.

    This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.

  3. Create a new rule:
    1. Click Threat Prevention > Policy > Threat Prevention.
    2. Add a rule to the Rule Base.

      The first rule that matches is applied.

    3. Make a rule that includes these components:
      • Name - Give the rule a name such as Monitor Bot Activity.
      • Protected Scope - Keep Any so the rule applies to all traffic in the organization.
      • Action - Right-click in this cell and select Monitoring_Profile.
      • Track - Keep Log.
      • Install On - Keep it as Policy Targets or choose Gateways to install the rule on.
  4. Install the Threat Prevention policy.