Print Download PDF Send Feedback

Previous

Next

Creating Threat Prevention Rules

In This Section:

Configuring IPS Profile Settings

Configuring Anti-Bot Settings

Configuring Anti-Virus Settings

Configuring Threat Emulation Settings

Configuring Threat Extraction Settings

Configuring a Malware DNS Trap

Configuring Inspection of Links Inside Mail

Exception Rules

Exception Groups

Create and manage the policy for the Threat Prevention Software Blade as part of the Threat Prevention Policy.

Click the Add Rule button to get started.

Best Practice - Disable a rule when you work on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Gateway. To disable a rule, right click in the No. column of the rule and select Disable.

Configuring IPS Profile Settings

To configure IPS settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click IPS > Additional Activation.
  5. Configure the customized protections for the profile.
  6. From the navigation tree, click IPS > Updates.
  7. Configure the settings for newly downloaded IPS protections.
  8. If you import IPS profiles from a pre-R80 deployment:
    1. From the navigation tree, click IPS > Pre-R80 Settings.
    2. Activate the applicable Client and Server protections.
    3. Configure the IPS protection categories to exclude from this profile.

    Note - These categories are different from the protections in the Additional Activation page.

  9. Click OK.
  10. Install Policy.

Additional Activation Fields

For additional granularity, in the Additional Activation section of the Profile configuration window, you can select IPS protections to activate and to deactivate. The IPS protections are arranged into tags (categories) such as Product, Vendor, Threat Year, and others, for the ease of search. The gateways enforce activated protections, and do not enforce deactivated protections, regardless of the general profile protection settings.

Updates

There are numerous protections available in IPS. It takes time to become familiar with those that are relevant to your environment. Some are easily configured for basic security and can be safely activated automatically.

In the Threat Prevention profile, you can configure an updates policy for IPS protections that were newly updated. You can do this with the IPS > Updates page in the Profiles navigation tree. Select one of these settings for Newly Updated Protections:

Best Practice - Allow IPS to activate protections based on the IPS policy in the beginning. During this time, you can analyze the alerts that IPS generates and how it handles network traffic, while you minimize the impact on the flow of traffic. Then you can manually change the protection settings to suit your needs.

Pre R80 Settings

The Pre-R80 Settings are relevant for the pre-R80 gateways only.

Protections Activation

Activate protections of the following types:

Excluded Protections Categories

Do not activate protections of the following categories - The IPS protection categories you select here are not automatically activated. They are excluded from the Threat Prevention policy rule that has this profile in the action of the Rule Base.

Configuring Anti-Bot Settings

To configure the Anti-Bot settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click Anti-Bot.
  5. Configure the Anti-Bot UserCheck Settings:
    • Prevent - Select the UserCheck message that opens for a Prevent action
    • Ask - Select the UserCheck message that opens for an Ask action
  6. Click OK and Install Policy.

Blocking Bots

To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.

Protected Scope

Action

Track

Install On

*Any

Optimized

Log

Packet Capture

*Policy Targets

To block bots in your organization:

  1. In SmartConsole, click Gateways & Servers.
  2. Enable the Anti-Bot Software Blade on the Gateways that protect your organization. For each Gateway:
    1. Double-click the Gateway object.
    2. In the Gateway Properties page, select the Anti-Bot Software Blade.

      The First Time Activation window opens.

    3. Select According to the Anti-Bot and Anti-Virus policy
    4. Click OK.
  3. Click Security Policies > Threat Prevention > Policy > Threat Prevention.

    You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile.

    Alternatively, add a new Threat Prevention rule:

    1. Click Add Rule.

      A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

    2. Make a rule that includes these components:
      • Name - Give the rule a name such as Block Bot Activity.
      • Protected Scope - The list of network objects you want to protect. By default, the Any network object is used.
      • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
      • Track - The type of log you want to get when the gateway detects malware on this scope.
      • Install On - Keep it as Policy Targets or select Gateways to install the rule on.
  4. Install the Threat Prevention policy.

Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Action

Track

Install On

Monitor Bot activity

*Any

A profile that has these changes relative to the Optimized profile:

Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect.

Log

*Policy Targets

To monitor all bot activity:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. Create a new profile:
    1. From the Threat Tools section, click Profiles.

      The Profiles page opens.

    2. Right-click a profile and select Clone.
    3. Give the profile a name such as Monitoring_Profile.
    4. Edit the profile, and under Activation Mode, configure all confidence level settings to Detect.
    5. Select the Performance Impact - for example, Medium or lower.

    This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.

  3. Create a new rule:
    1. Click Threat Prevention > Policy > Threat Prevention.
    2. Add a rule to the Rule Base.

      The first rule that matches is applied.

    3. Make a rule that includes these components:
      • Name - Give the rule a name such as Monitor Bot Activity.
      • Protected Scope - Keep Any so the rule applies to all traffic in the organization.
      • Action - Right-click in this cell and select Monitoring_Profile.
      • Track - Keep Log.
      • Install On - Keep it as Policy Targets or choose Gateways to install the rule on.
  4. Install the Threat Prevention policy.

Configuring Anti-Virus Settings

You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers. These settings are based on the interface type (internal or external, as defined in SmartConsole) and traffic direction (incoming or outgoing).

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management and then double-click a DMZ interface.
  3. In the General page of the Interface window, click Modify.
  4. In the Topology Settings window, click Override and Interface leads to DMZ.
  5. Click OK and close the gateway window.

    Perform this procedure for each interface that goes to the DMZ.

You can configure the Anti-Virus profile to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. If you use this feature, it can have an impact on network performance.

Note - The MIME Nesting settings are the same for Anti-Virus and Threat Emulation.

To configure Anti-Virus settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click Anti-Virus.
  5. Select the Anti-Virus UserCheck Settings options:
    • Prevent - Select the UserCheck message that opens for a Prevent action.
    • Ask - Select the UserCheck message that opens for an Ask action.
  6. In the Protected Scope section, select an interface type and traffic direction option:
    • Inspect incoming files from:

      Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

      • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
      • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
      • All - Inspect all incoming files from all interface types.
    • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
  7. Select the applicable Protocols that Anti-Virus scans.
  8. Optional: Configure how Anti-Virus inspects SMTP traffic.
    1. Click Configure.

      The Anti-Virus Mail Configuration window opens.

    2. Configure the MIME Nesting settings.
      • Maximum MIME nesting is X levels - For emails that contain nested MIME content, Set the maximum number of levels that the ThreatSpect engine scans in the email.
      • When nesting level is exceeded block/allow file - If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file.
  9. Select File Types:
    • Process file types known to contain malware
    • Process all file types
    • Process specific file types families
  10. To configure the specific file type families:
    1. Click Configure.
    2. In the File Types Configuration window, for each file type, select the Anti-Virus action for the file type.
    3. Click OK to close the File Types Configuration window.
  11. Click OK and close the Threat Prevention profile window.
  12. Install Policy.

To enable Archive Scanning:

  1. Select Enable Archive scanning (impacts performance)
  2. Click Configure.
  3. Set the amount in seconds to Stop processing archive after X seconds. The default is 30 seconds.
  4. Set to block or allow the file When maximum time is exceeded.

    The default setting is Allow.

  5. Click OK and close the Threat Prevention profile window.
  6. Install Policy.

Blocking Viruses

To block viruses and malware in your organization:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
  2. In the General Properties page, select the Anti-Virus Software Blade.

    The First Time Activation window opens.

  3. Select According to the Anti-Bot and Anti-Virus policy and click OK.
  4. Close the gateway Properties window and publish the changes.
  5. Click Security Policies > Threat Prevention > Policy > Threat Prevention.
  6. Click Add Rule.

    A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

  7. Make a rule that includes these components:
    • Name - Give the rule a name such as Block Virus Activity.
    • Protected Scope - The list of network objects you want to protect. In this example, the Any network object is used.
    • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
    • Track - The type of log you want to get when detecting malware on this scope. In this example, keep Log and also select Packet Capture to capture the packets of malicious activity. You will then be able to view the actual packets in SmartConsole > Logs & Monitor > Logs.
    • Install On - Keep it as All or choose specified gateways to install the rule on.
  8. Install the Threat Prevention policy.

Configuring Threat Emulation Settings

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management and then double-click a DMZ interface.
  3. In the General page of the Interface window, click Modify.
  4. In the Topology Settings window, click Override and Interface leads to DMZ.
  5. Click OK and close the gateway window.

Do this procedure for each interface that goes to the DMZ.

If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.

Note - The MIME Nesting settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.

To configure Threat Emulation settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click Threat Emulation > General.
  5. Select the Threat Emulation UserCheck Settings options:
    • Prevent - Select the UserCheck message that opens for a Prevent action
    • Ask - Select the UserCheck message that opens for an Ask action
  6. In the Protected Scope section, select an interface type and traffic direction option:
  7. Select the applicable Protocols to be emulated.
  8. In the Protected Scope section, select an interface type and traffic direction option:
    • Inspect incoming files from:

      Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

      • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
      • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
      • All - Inspect all incoming files from all interface types.
    • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
  9. Optional: Configure how Threat Emulation does emulation for SMTP traffic.
    1. Click Configure.

      The Threat Prevention Mail Configuration window opens.

    2. Configure the MIME Nesting settings.
      • Maximum MIME nesting is X levels - For emails that contain nested MIME content, Set the maximum number of levels that the ThreatSpect engine scans in the email.
      • When nesting level is exceeded block/allow file - If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file.
  10. Select the File Types to be emulated.
  11. Click OK and close the Threat Prevention profile window.
  12. Install the Threat Prevention policy.

Selecting the Threat Emulation Action

What are the available emulation actions that I can use with a Threat Emulation profile?

Preparing for Local or Remote Emulation

Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.

  1. Open SmartConsole.
  2. Create the network object for the Emulation appliance.
  3. If you are running emulation on HTTPS traffic, configure the settings for HTTPS Inspection.
  4. Make sure that the traffic is sent to the appliance according to the deployment:
    • Local Emulation - The Emulation appliance receives the traffic. The appliance can be configured for traffic the same as a Security Gateway.
    • Remote Emulation - The traffic is routed to the Emulation appliance.

Using Local or Remote Emulation

This section is for deployments that use an Emulation appliance and run emulation in the internal network.

Note - Prepare the network for the Emulation appliance before you run the First Time Configuration Wizard.

To enable an Emulation appliance for Local and Remote emulation:

  1. In SmartConsole, go to Gateways & Servers and double-click the Emulation appliance.

    The Gateway Properties window opens.

  2. From the Network Security tab, select Threat Emulation.

    The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

  3. Select Locally on a Threat Prevention device.
  4. Click Next.

    The Summary page opens.

  5. Click Finish to enable Threat Emulation on the Emulation appliance and close the First Time Configuration Wizard.
  6. Click OK.

    The Gateway Properties window closes.

  7. For Local emulation, install the Threat Prevention policy on the Emulation appliance.

To enable Threat Emulation on the Security Gateway for Remote emulation:

  1. In SmartConsole, go to Gateways & Servers and double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the Network Security tab, select Threat Emulation.

    The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

  3. Configure the Security Gateway for Remote Emulation:
    1. Select Other Emulation appliance.
    2. From the drop-down menu, select the Emulation appliance.
  4. Click Next.

    The Summary page opens.

  5. Click Finish to enable Threat Emulation on the Security Gateway close the First Time Configuration Wizard.
  6. Click OK.

    The Gateway Properties window closes.

  7. Install the Threat Prevention policy on the Security Gateway and the Emulation appliance.

Configuring the Virtual Environment (Profile)

You can use the Emulation Environment window to configure the emulation location and images that are used for this profile.

The Analysis Locations section lets you select where the emulation is done.

The Environments section lets you select the operating system images on which the emulation is run. If the images defined in the profile and the Security Gateway or Emulation appliance are different, the profile settings are used.

These are the options to select the emulation images:

To configure the virtual environment settings for the profile:

  1. From the Threat Prevention profile navigation tree, select Threat Emulation > Emulation Environment.

    The Emulation Environment page opens.

  2. Set the Analysis Location setting:
    • To use the Security Gateway settings for the location of the virtual environment, click According to the gateway
    • To configure the profile to use a different location of the virtual environment, click Specify and select the applicable option
  3. Set the Environments setting:
    • To use the emulation environments recommended by Check Point security analysts, click Use Check Point recommended emulation environments
    • To select one or more images that are used for emulation, click Use the following emulation environments
  4. Click OK and close the Threat Prevention profile window.
  5. Install the Threat Prevention policy.

File Type Settings

You can configure the Threat Emulation Action and Emulation Location for each file type in the Threat Prevention profile.

To configure the file type settings for a profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.
  3. Double-click the Threat Prevention profile.
  4. From the navigation tree, select Threat Emulation.
  5. From the File Types section, select Process specific file types families.
  6. Click Configure.

    The Threat Emulation Supported File Types window opens.

  7. To change the emulation action for a file type, click Action and select one of these options:
    • Inspect - Threat Emulation opens these files.
    • Bypass - Files of this type are considered safe and the Software Blade does not do emulation for them.
  8. To change the emulation location for a file type, click Emulation location and select one of these options:
    • According to the gateway - The Emulation location settings that are defined in the Gateway Properties window are used for these files.
    • Locally - Emulation for these file types is done on the Emulation appliance.
    • ThreatCloud - These file types are sent to the ThreatCloud for emulation.
  9. Install Policy.

Excluding Emails

You can enter email addresses that are not included in Threat Emulation protection. SMTP traffic that is sent to or from these addresses is not sent for emulation.

Note - If you want to do emulation on outgoing emails, make sure that you set the Protected Scope to Inspect incoming and outgoing files.

To exclude emails from Threat Emulation:

  1. From the Threat Prevention profile navigation tree, select Threat Emulation > Excluded Mail Addresses.
  2. In the Recipients section, you can click the Add button and enter one or more emails.

    Emails and attachments that are sent to these addresses will not be sent for emulation.

  3. In the Senders section, you can click the Add button and enter one or more emails.

    Emails and attachments that are received from these addresses will not be sent for emulation.

    Note - You can also use a wildcard character to exclude more than one email address from a domain.

  4. Click OK and close the Threat Prevention profile window.
  5. Install the Threat Prevention policy.

Using an MTA

You can enable the Security Gateway as an MTA (Mail Transfer Agent) to manage the emulation of SMTP traffic. It is possible that during file emulation, the email server cannot keep the connection open for the time that is necessary for full emulation. When this happens, there is a timeout for the email. A Threat Emulation deployment with an MTA avoids this problem, the MTA completes and closes the connection with the source email server and then sends the file for emulation. After the emulation is complete, the MTA sends the email to the mail server in the internal network.

Note - MTA configuration also applies to VSX gateways.

To use the Security Gateway as an MTA:

  1. Enable the Security Gateway as an MTA.
  2. Configure the network to forward emails to the MTA.

Note - When you enable a gateway as an MTA, an implied rule is created which opens port 25 on the gateway. To disable this implied rule, see sk110758.

Enabling MTA on the Security Gateway

For a topology that uses TLS between the Security Gateway and the mail server, you must import the mail server certificate to the Security Gateway.

To enable the Security Gateway as an MTA:

  1. In SmartConsole, go to Gateways & Servers and double-click the Security Gateway and from the navigation tree select Mail Transfer Agent.

    The Mail Transfer Agent page opens.

  2. Select Enable as a Mail Transfer Agent.
  3. In the Mail Forwarding section, add one or more rules.
    1. Click the add rule button.
    2. Right-click the Domain cell and select Edit.
    3. Enter the domain for the SMTP traffic for this rule. The default setting is to use the wildcard * to send all traffic.
    4. Click OK.
    5. Click the Next Hop cell and select the node object that is the mail server for this rule.

      You can also configure the MTA to only run emulation and not forward emails to the mail server.

  4. Optional: Select Sign scanned emails and enter the message to add to emails when emulation is finished.
  5. If the mail server uses TLS inspection, do these steps to enable the MTA to support it:
    1. Click Import.

      The Import Outbound Certificate window opens.

    2. Click Browse and select the certificate file.
    3. Enter the Private key password for the certificate.
    4. Click OK.
    5. Select Enable SMTP/TLS.
  6. Optional: In the Advanced Settings section, click Configure Settings and configure the MTA interface and email settings.
  7. Click OK and then install the Threat Prevention policy.

Configuring the Network to Use an MTA

After you configure the Security Gateway as an MTA, change the settings to send SMTP traffic from external networks to the Security Gateway. Each organization has an MX record that points to the internal mail server, or a different MTA. The MX record defines the next hop for SMTP traffic that is sent to the organization. These procedures explain how to change the network settings to send SMTP to the Check Point MTA.

Important - If it is necessary to disable the MTA on the Security Gateway, change the SMTP settings or MX records first. Failure to do so can result in lost emails.

To configure an MTA for email that is sent to the internal mail server:

  1. Connect to the DNS settings for the network.
  2. Change the MX records, and define the Security Gateway as the next hop.

To configure an MTA for email that is sent to a different MTA:

  1. Connect to the SMTP settings on the MTA that sends email to the internal mail server.
  2. Change the SMTP settings and define the Security Gateway as the next hop.

Deploying MTA in BCC Mode

You can use the Check Point MTA to only monitor SMTP traffic. Configure the MTA to send emails only for emulation, but not to forward them to the mail server.

Note - Make sure that the mail relay in the network can send a copy of the emails to the Check Point MTA.

To configure the MTA not to forward emails:

  1. In SmartConsole, go to Gateways & Servers and double-click the Security Gateway and from the navigation tree select Mail Transfer Agent.

    The Mail Transfer Agent page opens.

  2. Make sure that all the Mail Forwarding rules are deleted.
  3. Click the add rule button.
  4. Click the Next Hop cell and click New.

    The Host Node window opens.

  5. Configure these settings:
    • Name - For example, No_Forward
    • IPv4 Address - Enter 0.0.0.0
  6. Click OK.

    The Host Node window closes, and the server object is added to the Next Hop cell.

  7. Click OK and then install the Threat Prevention policy.

Configuring Threat Extraction Settings

To configure Threat Extraction settings for a Threat Prevention profile:

  1. In the Security Policies view > Threat Tools section, click Profiles.
  2. Right-click a profile and select Edit.

    The Profiles properties window opens.

  3. On the General Policy page in the Blade Activation area, select Threat Extraction.
  4. Configure these Threat Extraction Settings:
  5. Click OK.

Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.

Threat Extraction General Settings

On the Threat Extraction > General page, you can configure these settings:

Exclude/Include Users

On the Threat Extraction > Exclude/Include Users page, you can configure these settings:

Note:

A user is an object that can contain an email address with other details.

A group is an AD group or LDAP group of users

A recipient is an email address only.

Important: In the Application menu > Global Properties > User Directory, make sure that you selected the Use User Directory for Security Gateways option

Threat Extraction Advanced Settings

On the Threat Extraction > Advanced page, you can configure these settings:

Configuring a Malware DNS Trap

The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateways external IP address as the DNS trap address but:

You can also add internal DNS servers to better identify the origin of malicious DNS requests.

Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.

At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.

To set the Malware DNS Trap parameters for the profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click Malware DNS Trap.
  5. Click Activate DNS Trap.
  6. Enter the IP address for the DNS trap.
  7. Optional: Add Internal DNS Servers to identify the origin of malicious DNS requests.
  8. Click OK and close the Threat Prevention profile window.
  9. Install the Threat Prevention policy.

To set the Malware DNS Trap parameters for a gateway:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, select Anti-Bot and Anti-Virus.
  3. In the Malicious DNS Trap section, select one of these options:
    • According to profile settings - Use the Malware DNS Trap IP address configured for each profile.
    • IPv4 - Enter an IP address to be used in all the profiles assigned to this Security Gateway.
  4. Click OK.
  5. Install the policy.

Configuring Inspection of Links Inside Mail

Inspection of Links Inside Mail scans URL links in the body of email messages, subject, or .txt attachments, and checks them against the URL reputation database. The email messages that contain malicious URL links are blocked.

Inspection of Links Inside Mail is on by default, and scans incoming mail with Anti-Virus Software Blade and outgoing mail with Anti-Bot Software Blade.

To turn Inspection of Links Inside Mail off:

  1. Go to Security Policies > Threat Prevention > Threat Tools > Protections.
  2. Right-click on a Links Inside Mail protection, and select Inactive Selected.

    Note - for each Software Blade (Anti-Bot and Anti-Virus) you must turn off the Links Inside Mail separately.

To turn Inspection of Links Inside Mail on:

  1. Go to Security Policies > Threat Prevention > Threat Tools > Protections.
  2. Right-click on a Links Inside Mail protection, and select one of these -
    • Prevent Selected
    • Detect Selected

To configure Link Inspection Inside Mail:

  1. Go to Security Policies > Threat Prevention > Threat Tools.
  2. Select a profile.
  3. Click Edit.
  4. In the window that opens, select Advanced > Links inside mail.

    The Links inside mail page opens.

  5. Configure the Links inside mail settings.
    • Inspect first <number> (KB) of email messages
    • Inspect first <number> URLs in email messages
  6. Click OK.

Exception Rules

If necessary, you can add an exception directly to a rule. An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule. In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it. For example: The Research and Development (R&D) network protections are included in a profile with the Prevent action. You can define an exception which sets the specific R&D network to Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are stricter than the profile action.

You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the No. column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.

You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.

You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.

To add an exception to a rule:

  1. In the Policy pane, select the rule to which you want to add an exception.
  2. Click Add Exception.
  3. Select the Above, Below, or Bottom option according to where you want to place the exception.
  4. Enter values for the columns. Including these:
    • Protected Scope - Change it to reflect the relevant objects.
    • Protection - Click the plus sign in the cell to open the Protections viewer. Select the protection(s) and click OK.
  5. Install Policy.

Note - You cannot set an exception rule to an inactive protection or an inactive blade.

Disabling a Protection on One Server

Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?

In this example, create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Protection/Site

Action

Track

Install On

Monitor Bot Activity

* Any

- N/A

A profile based on the Optimized profile.

Edit this profile > go to the General Policy pane> in the Activation Mode section, set every Confidence to Prevent.

Log

Policy Targets

Exclude

Server_1

Backdoor.Win32.Agent.AH

Detect

Log

Server_1

To add an exception to a rule:

  1. In SmartConsole, click Threat Prevention > Policy > Layer.
  2. Click the rule that contains the scope of Server_1.
  3. Click the Add Exception toolbar button to add the exception to the rule. The gateway applies the first exception matched.
  4. Right-click the rule and select New Exception.
  5. Configure these settings:
    • Name - Give the exception a name such as Exclude.
    • Protected Scope - Change it to Server_1 so that it applies to all detections on the server.
    • Protection/Site - Click + in the cell. From the drop-down menu, click the category and select one or more of the items to exclude.

      Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.

    • Action - Keep it as Detect.
    • Track - Keep it as Log.
    • Install On - Keep it as Policy Targets or select specified gateways to install the rule on.
  6. Install Policy.

Blade Exceptions

You can also configure an exception for an entire blade.

To configure a blade exception:

  1. In the Policy, select the Layer rule to which you want to add an exception.
  2. Click Add Exception.
  3. Select the Above, Below, or Bottom option according to where you want to place the exception.
  4. In the Protection/Site column, select Blades from the drop-down menu.
  5. Select the blade you want to exclude.
  6. Install Policy.

Creating Exceptions from IPS Protections

To create an exception from an IPS protection:

  1. Go to Security Policies > Threat Prevention > Policy > IPS Protections.
  2. Right-click a protection and select Add Exception.
  3. Configure the exception rule.
  4. Click OK.
  5. Install Policy.

Exception Groups

An exception group is a container for one or more exceptions. You can attach an exception group to all rules or only to some rules. With exception groups, you can manage your exceptions more easily, because you can attach the same exception group to multiple rules, instead of manually define exceptions for each rule.

The Exception Groups pane shows a list of exception groups that were created, the rules that use them, and any comments related to the defined group. The Exceptions Groups pane contains these options:

Option

Meaning

New

Creates a new exception group.

Edit

Modifies an existing exception group.

Delete

Deletes an exception group.

Search

Search for an exception group.

Global Exceptions

The system comes with a predefined group named Global Exceptions. Exceptions that you define in the Global Exceptions group are automatically added to every rule in the Rule Base. For other exception groups, you can decide to which rules to add them.

Exception Groups in the Rule Base

Global exceptions and other exception groups are added as shaded rows below the rule in the Rule Base. Each exception group is labeled with a tab that shows the exception group's name. The exceptions within a group are identified in the No column using the syntax:
E - <rule number>.<exception number>, where E identifies the line as an exception. For example, if there is a Global Exceptions group that contains two exceptions, all rules show the exception rows in the Rule Base No column as E-1.1 and E-1.2. Note that the numbering of exception varies when you move the exceptions within a rule.

To view exception groups in the Rule Base:

Click the plus or minus sign next to the rule number in the No. column to expand or collapse the rule exceptions and exception groups.

Creating Exception Groups

When you create an exception group, you create a container for one or more exceptions. After you create the group, add exceptions to them. You can then add the group to rules that require the exception group in the Threat Prevention Rule Base.

To create an exception group:

  1. In SmartConsole, select Security Policies > Threat Prevention > Exceptions.
  2. In the Exceptions section, click New.
  3. In Apply On, configure how the exception group is used in the Threat Prevention policy.
    • Manually attach to a rule - This exception group applies only when you add it to Threat Prevention rules.
    • Automatically attached to each rule with profile - This exception group applies to all Threat Prevention rules in the specified profile.
    • Automatically attached to all rules - This exception group applies to all Threat Prevention rules.
  4. Click OK.
  5. Install the Threat Prevention policies.

Adding Exceptions to Exception Groups

To use exception groups, you must add exception rules to them.

To add exceptions to an exception group:

  1. In SmartConsole, select Security Policies > Threat Prevention > Exceptions.
  2. In the Exceptions section, click the exception group to which you want to add an exception.
  3. Click Add Exception Rule.
  4. Configure the settings for the new exception rule.
  5. Install the Threat Prevention policy.

Adding Exception Groups to the Rule Base

You can add exception groups to Threat Prevention rules. This only applies to exception groups that are configured to Manually attach to a rule.

To add an exception group to the Rule Base:

  1. Click Security Policies > Threat Prevention > Policy.
  2. Right-click the rule and select Add Exception Group > <group name>.
  3. Install the Threat Prevention policies.

Creating Exceptions from Logs or Events

In some cases, after evaluating a log or an event in the Logs & Monitor view, it may be necessary to update a rule exception in the SmartConsole Rule Base. You can do this directly from within the Logs & Monitor view. You can apply the exception to a specified rule or apply the exception to all rules that show under Global Exceptions.

To update a rule exception or global exception from a log:

  1. Click Logs & Monitor > Logs tab.
  2. Right-click the log and select Add Exception.
  3. Configure the settings for the exception.
  4. Click OK.
  5. In the New Exception Rule window:
    • To show the exception in the policy, click Go to
    • Otherwise, click Close
  6. Install Policy.