Configuring Zero Phishing Settings - Autonomous Threat Prevention

Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. is active by default on the Perimeter and Strict profiles.

In-Browser Zero Phishing is off by default in all profiles.

To enable In-browser Zero Phishing:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Threat Prevention > Autonomous Policy > Settings > Advanced Settings.

2. From the drop-down menu, select In-browser Zero Phishing.

3. Change the value to On.

4. Click Apply.

5. Install the Threat Prevention Policy.

If HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. is active, in-browser Zero Phishing requires:

• A certificate - HTTPS Inspection automatically generates this certificate.

• Configured FQDN on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster. - In-Browser Zero Phishing runs on the client side (the endpoint). The endpoint must have the possibility to communicate with the Security Gateway / each Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member over HTTPS that relies on FQDN.

  To configure the FQDN in the Security Gateway / Cluster object:

  1. Go to the Zero Phishing tab.

  2. Configure the FQDN.

  3. Click OK.

  4. Install the Access Control and Threat Prevention policies.

  Notes: The FQDN must be in the DNS records of your DNS server. Make sure that the Zero Phishing portal is configured to work on a public IP address. For more information, see sk178769.

Limitations:

• In-browser Zero Phishing does not support Internet Explorer.

• In-browser Zero Phishing does not support mirrored traffic (Mirror Port, Span Port, Tap mode).

Zero Phishing and Unclassified Sites

You can block or allow sites that the Cloud Service is unable to classify as Phishing or Benign.

To block unclassified sites, run this command on the Security Gateway CLI:

zph att set inbrowser_block_unclassified_sites 1

To allow unclassified sites (default), run this command on the Security Gateway CLI:

zph att set inbrowser_block_unclassified_sites 0

Zero Phishing Exceptions

To skip unnecessary scans of popular sites, we recommend to configure the Zero Phishing blade to bypass specific popular sites.

To configure the Zero Phishing blade to bypass popular sites:

1. In SmartConsole, go to the Security Policies view > Threat Prevention > Exceptions.

2. Click Add Exception > Below.

3. Give a name to the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

4. In the Protected Scope column:

   1. Click the "Plus" (+) button.

   2. In the window that opens, go to Import > Updatable Objects.

   3. Search for Zero Phishing Bypass and select it.

   4. Click OK.

5. In the Protection/Site/File/Blade column:

   1. Click the "Plus" (+) button.

   2. From the drop-down menu in the window that opens, select Blades.

   3. From the list of blades, select Zero Phishing.

6. In the Action column, select Inactive.

7. Install Policy.

Notes - For proper enforcement, make sure that this rule is the last rule under Global Exceptions. For any exception rule that contains Zero Phishing in the Protection/Site/File/Blade column, in the Install On column, you must select Security Gateways with Zero Phishing enabled.

The list of bypassed sites dynamically changes. To see the list, go to sk179726.