Print Download Complete help as Archive Send Feedback

Previous

Next

Threat Prevention

What can I do here?

Use this window to configure a Threat Prevention policy.

Getting Here

Getting Here - Security Policies > Threat Prevention > Policy

The Threat Prevention Policy

The Threat Prevention policy determines how the system inspects connections for bots and viruses. The primary component of the policy is the Rule Base. The rules use the Malware database and network objects.

If you enable Identity Awareness on your gateways, you can also use Access Role objects as the scope in a rule. This lets you easily make rules for individuals or different groups of users.

There are no implied rules in the Rule Base. All traffic is allowed unless it is explicitly blocked.

The columns of a rule define the traffic that it matches and what is done to that traffic.

Rule Columns

Item

Description

No

The rule number. The sequence is important. The first rule that matches traffic according to a protected scope and profile is applied.

For example, if rules 1 and 2 share the same protected scope and a profile in rule 1 is set to detect protections with a medium confidence level and the profile in rule 2 is set to prevent protections with a medium confidence level, then protections with a medium confidence level will be detected based on rule 1.

Name

The name of the rule. Give the rule a descriptive name. A name can include spaces.

Protected Scope

Threat Prevention inspects traffic to and/or from all objects specified in the Protected Scope, even when the specified object did not open the connection.

You can set the Protected Scope parameter to Any. This option lets Threat Prevention inspect traffic based on the direction and interface type as defined by the Profile assigned to the applicable rule. By default, the predefined Recommended Rule sets the Protection Scope to Any.

Source

The source of the connection

Destination

The connection's destination

Protection/Site/File/Blade

Shows the protections for the policy. The Threat Prevention policy includes the Anti-Bot, Threat Emulation, and Anti-Virus protections.

For Rules, this field is always set to N/A and cannot be changed. Protections for Rule Base rules are defined in the configured profile (in the Action column).

For rule exceptions and exception groups, this field can be set to one or more specified protections.

Services

Adds services

Action

Action shows how the traffic is inspected.

For Rules, this is defined by the profile. The profile contains the configuration options for different confidence levels and performance impact.

For rule exceptions and exception groups, the action can be set to Ask, Prevent, Detect, or Inactive.

Track

Shows if the traffic is logged or triggers various notifications, traps, or alerts.

Packet capture allows the packets relevant to the connection to be captured for analysis. The packet capture can be viewed from the event in the Logs & Monitor > Logs view. This can be configured only for rules (not rule exceptions).

To configure packet capture, select any tracking action other than None and then select Packet capture.

Install On

Select a gateway for the policy