Print Download Complete help as Archive Send Feedback

Previous

Next

Threat Prevention Layer - New or Edit

What can I do here?

Use this window to create or edit a Threat Prevention layer.

Getting Here

Getting Here - Security Policies > Threat Prevention > Right-click Policy > Edit Policy > In the Threat Prevention section > click the (+) icon >

Or:

Menu > Manage Polices > New or Edit > In the Threat Prevention section > click the (+) icon.

Or:

Connect SmartConsole to the Global Domain > Security Policies Click (+) to open the Manage Policies tab > Click the Manage Policies link > click New > Select the Threat Prevention option > In the Threat Prevention section click the (+) icon.

Threat Prevention Policy Layers

You can create a Threat Prevention Rule Base with multiple Policy Layers. Policy Layers help you organize your Rule Base to best suit your organizational needs. You can divide the Policy Layers by services or networks. Each Policy Layer calculates its action separately from the other Layers. In case of one Layer in the policy package, the rule enforced is the first rule matched. In case of multiple Layers:

Important - When the Threat Prevention blades run in MTA mode, the gateway enforces the automatic MTA rule, which is created when MTA is enabled on the gateway.

Action Enforcement in Multiple-Layered Security Policies

These examples show which action the gateway enforces when a connection matches rules in more than one Policy Layers.

Example 1

 

Data Center Layer

Corporate LAN Layer

Rule matched

Rule 3

Rule 1

Profile action

Prevent

Detect

Enforced action: Prevent

Example 2

 

Data Center Layer

Corporate LAN Layer

Rule matched

Rule 3

Rule 1

Profile action

Prevent

Detect

Exception for protection X

Inactive

-

Enforced action for protection X: Detect

Example 3

 

Data Center Layer

Corporate LAN Layer

Rule matched

Rule 3

Rule 1

Profile action

Prevent

Detect

Override for protection X

Detect

-

Exception for protection X

Inactive

-

Exception is prior to override and profile action. Therefore, the action for the Data Center Layer is Inactive.

The action for the Corporate LAN Layer is Detect.

Enforced action for protection X: Detect.

Example 4

 

Data Center Layer

Corporate LAN Layer

Rule matched

Rule 3

Rule 1

Profile action

Deep Scan all files

Process specific file type families: Inspect doc files and Drop rtf files.

Enforced action: Deep Scan doc files and Drop rtf files.

Example 5

MIME nesting level and Maximum archive scanning time

The strictest action is:

Block combined with the minimum nesting level/scanning time, or

Allow combined with the maximum nesting level/scanning time, or

If both Block and Allow are matched, the enforced action is Block.

Example 6

UserCheck

 

HR Layer

Finance Layer

Data Center Layer 3

Rule matched

Rule 3

Rule 1

Rule 4

Profile action

Detect

Prevent

Prevent

Configured page

Page A

Page B

Page C

The first Layer with the strictest action is enforced.

Enforced Action: Prevent with UserCheck Page B.

Threat Prevention Layers in Pre-R80 Gateways

In pre-R80 versions, the IPS Software Blade was not part of the Threat Prevention Policy, and was managed separately. In R80.xx versions, the IPS Software Blade is integrated into the Threat Prevention Policy.

When you upgrade SmartConsole to R80.xx from earlier versions, with some Security Gateways upgraded to R80.xx, and other Security Gateways remaining in previous versions:

Best Practice - For better performance, we recommend that you use the Optimized profile when you upgrade to R80 or higher from earlier versions.