In This Section: |
Create and manage the policy for the Threat Prevention Software Blade as part of the Threat Prevention Policy.
Click the Add Rule button to get started.
Best Practice - Disable a rule when you work on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Gateway. To disable a rule, right click in the No. column of the rule and select Disable.
To configure IPS settings for a Threat Prevention profile:
The Profiles page opens.
Note - These categories are different from the protections in the Additional Activation page.
There are numerous protections available in IPS. It takes time to become familiar with those that are relevant to your environment. Some are easily configured for basic security and can be safely activated automatically.
In the Threat Prevention profile, you can configure an updates policy for IPS protections that were newly updated. You can do this with the IPS > Updates page in the Profiles navigation tree. Select one of these settings for Newly Updated Protections:
Set activation as staging mode - Newly updated protections remain in staging mode until you change their configuration. The default action for protections in staging mode is Detect. You can change the action manually in the IPS Protections page.
Click Configure to exclude specific protections from staging mode.
Best Practice - In the beginning, allow IPS to activate protections based on the IPS policy. During this time, you can analyze the alerts that IPS generates and how it handles network traffic, while you minimize the impact on the flow of traffic. Then you can manually change the protection settings to suit your needs.
To block viruses and malware in your organization:
The First Time Activation window opens.
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
Here you can configure the Anti-Bot UserCheck Settings:
To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|
*Any |
Optimized |
Log Packet Capture |
*Policy Targets |
To block bots in your organization:
The First Time Activation window opens.
You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile.
Alternatively, add a new Threat Prevention rule:
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?
In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:
Name |
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|---|
Monitor Bot activity |
|
A profile that has these changes relative to the Optimized profile: Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect. |
|
|
To monitor all bot activity:
The Profiles page opens.
This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.
The first rule that matches is applied.
Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?
In this example, create this Threat Prevention rule, and install the Threat Prevention policy:
Name |
Protected Scope |
Protection/Site |
Action |
Track |
Install On |
---|---|---|---|---|---|
Monitor Bot Activity |
|
|
A profile based on the Optimized profile. Edit this profile > go to the General Policy pane> in the Activation Mode section, set every Confidence to Prevent. |
Log |
Policy Targets |
Exclude |
Server_1 |
|
Detect |
Log |
Server_1 |
To add an exception to a rule:
Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.
Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:
The gateway window opens and shows the General Properties page.
Do this procedure for each interface that goes to the DMZ.
If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.
To configure Threat Emulation settings for a Threat Prevention profile:
The Profiles page opens.
What are the available emulation actions that I can use with a Threat Emulation profile?
Note - To estimate the system requirements and amount of file emulations for a network, go to sk93598.
You can use the Emulation Environment window to configure the emulation location and images that are used for this profile:
Note - In the Remote Emulation Appliances option, for R80.10 gateways with R80.10 Jumbo Hotfix Accumulator and R77.20 gateways, you can select multiple appliances for remote emulation. For older gateways, you can select only one appliance for remote emulation.
These are the options to select the emulation images:
You can enter email addresses that are not included in the Threat Emulation protection. SMTP traffic that is sent to or from these addresses is not sent for emulation.
Note - If you want to do emulation on outgoing emails, make sure that you set the Protected Scope to Inspect incoming and outgoing files.
To exclude emails from the Threat Emulation protection:
Emails and attachments that are sent to these addresses will not be sent for emulation.
Emails and attachments that are received from these addresses will not be sent for emulation.
Note - You can also use a wildcard character to exclude more than one email address from a domain.
Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.
This section is for deployments that use an Emulation appliance and run emulation in the internal network.
Note - Prepare the network for the Emulation appliance before you run the First Time Configuration Wizard.
To enable an Emulation appliance for Local and Remote emulation:
The Gateway Properties window opens.
The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
The Summary page opens.
The Gateway Properties window closes.
To enable Threat Emulation on the Security Gateway for Remote emulation:
The Gateway Properties window opens.
The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
The Summary page opens.
The Gateway Properties window closes.
To configure Threat Extraction settings for a Threat Prevention profile:
The Profiles properties window opens.
Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.
To configure the Threat Extraction blade on the gateway:
The Threat Extraction First Time Activation Wizard opens.
The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateways external IP address as the DNS trap address but:
You can also add internal DNS servers to better identify the origin of malicious DNS requests.
Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.
At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.
To set the Malware DNS Trap parameters for the profile:
The Profiles page opens.
To set the Malware DNS Trap parameters for a gateway:
The gateway window opens and shows the General Properties page.
If necessary, you can add an exception directly to a rule. An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule. In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it. For example: The Research and Development (R&D) network protections are included in a profile with the Prevent action. You can define an exception which sets the specific R&D network to Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are stricter than the profile action.
You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the No. column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.
You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.
You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.
To add an exception to a rule:
Note - You cannot set an exception rule to an inactive protection or an inactive blade.
You can also configure an exception for an entire blade.
To configure a blade exception: