Anti-Bot

What can I do here?

Use this window to configure UserCheck settings and suspicious mail detection settings for Anti-bot.

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Profiles > Profile > Anti-bot

Configuring Anti-Bot Settings

To configure the Anti-Bot settings for a Threat Prevention profile:

In SmartConsole, select Security Policies > Threat Prevention.
From the Threat Tools section, click Profiles.
The Profiles page opens.
Right-click the profile, and click Edit.
From the navigation tree, click Anti-Bot.
Configure the Anti-Bot UserCheck Settings:
- Prevent - Select the UserCheck message that opens for a Prevent action
- Ask - Select the UserCheck message that opens for an Ask action
Click OK and Install Policy.

Blocking Bots

To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.

Protected Scope	Action	Track	Install On
*Any	Optimized	Log Packet Capture	*Policy Targets

Protected Scope

Action

Track

Install On

*Any

Optimized

Log

Packet Capture

*Policy Targets

To block bots in your organization:

In SmartConsole, click Gateways & Servers.
Enable the Anti-Bot Software Blade on the Gateways that protect your organization. For each Gateway:
1. Double-click the Gateway object.
2. In the Gateway Properties page, select the Anti-Bot Software Blade.
  The First Time Activation window opens.
3. Select According to the Anti-Bot and Anti-Virus policy
4. Click OK.
Click Security Policies > Threat Prevention > Policy > Threat Prevention.
You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile.

Alternatively, add a new Threat Prevention rule:
1. Click Add Rule.
  A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
2. Make a rule that includes these components:
  - Name - Give the rule a name such as Block Bot Activity.
  - Protected Scope - The list of network objects you want to protect. By default, the Any network object is used.
  - Action - The Profile that contains the protection settings you want. The default profile is Optimized.
  - Track - The type of log you want to get when the gateway detects malware on this scope.
  - Install On - Keep it as Policy Targets or select Gateways to install the rule on.
Install the Threat Prevention policy.
The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.
To install the Threat Prevention policy:
1. From the Global toolbar, click Install Policy.
  The Install Policy window opens showing the installation targets (Security Gateways).
2. Select Threat Prevention.
3. Select Install Mode:
  - Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
    If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
  - Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
4. Click OK.

Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:

Name	Protected Scope	Action	Track	Install On
Monitor Bot activity	`*Any`	A profile that has these changes relative to the Optimized profile: Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect.	`Log`	`*Policy Targets`

Name

Protected Scope

Action

Track

Install On

Monitor Bot activity

*Any

A profile that has these changes relative to the Optimized profile:

Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect.

Log

*Policy Targets

To monitor all bot activity:

In SmartConsole, select Security Policies > Threat Prevention.
Create a new profile:
1. From the Threat Tools section, click Profiles.
  The Profiles page opens.
2. Right-click a profile and select Clone.
3. Give the profile a name such as Monitoring_Profile.
4. Edit the profile, and under Activation Mode, configure all confidence level settings to Detect.
5. Select the Performance Impact - for example, Medium or lower.
This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.
Create a new rule:
1. Click Threat Prevention > Policy > Threat Prevention.
2. Add a rule to the Rule Base.
  The first rule that matches is applied.
3. Make a rule that includes these components:
  - Name - Give the rule a name such as Monitor Bot Activity.
  - Protected Scope - Keep Any so the rule applies to all traffic in the organization.
  - Action - Right-click in this cell and select Monitoring_Profile.
  - Track - Keep Log.
  - Install On - Keep it as Policy Targets or choose Gateways to install the rule on.
Install the Threat Prevention policy.
The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.
To install the Threat Prevention policy:
1. From the Global toolbar, click Install Policy.
  The Install Policy window opens showing the installation targets (Security Gateways).
2. Select Threat Prevention.
3. Select Install Mode:
  - Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
    If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
  - Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
4. Click OK.