Configuring Zero Phishing Settings - Custom Threat Prevention
Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. uses two main engines:
-
Real-time phishing prevention based on URLs.
-
In-Browser Zero Phishing.
For more information about these two engines, see The Check Point Threat Prevention Solution.
For information o how to enable Zero Phishing, see Getting Started with Custom Threat Prevention.
To disable the Zero Phishing protection:
-
In SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention > Custom Threat Prevention > Custom Policy Tools > Profiles. -
Select the required profile.
-
In the General Policy page, clear Zero Phishing
To disable In-browser Zero Phishing:
-
In SmartConsole, go to Security Policies > Threat Prevention > Custom Threat Prevention > Custom Policy Tools > Profiles.
-
Select the required profile.
-
In the profile, go to the Zero Phishing page.
-
Clear the In-browser Zero Phishing checkbox.
Limitations:
-
In-browser Zero Phishing does not support Internet Explorer.
-
In-browser Zero Phishing does not support mirrored traffic (Mirror Port, Span Port, Tap mode).
You can block or allow sites that the Cloud Service is unable to classify as Phishing or Benign.
To block unclassified sites, run this command on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. CLI:
|
|
To allow unclassified sites (default), run this command on the Security Gateway CLI:
|
zph att set inbrowser_block_unclassified_sites 0 |
Configuring Zero Phishing UserCheck Settings
Starting from SmartConsole Build 646, you can select the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that appears in case of a suspected phishing attempt.
Prevent - Select the UserCheck message that opens for the Prevent action. The default message is Zero Phishing Blocked.
You can create UserCheck messages of your own for the Prevent action and configure their settings. To do this , go to Security Policies > Threat Prevention > Custom Threat Prevention > Custom Policy Tools > UserCheck, and in the UserCheck page, click New. For more information, see Threat Prevention and UserCheck - Custom Threat Prevention.
Configuring Zero Phishing Exceptions
To skip unnecessary scans of popular sites, we recommend to configure the Zero Phishing blade to bypass specific popular sites.
To configure the Zero Phishing blade to bypass popular sites:
-
In SmartConsole, go to the Security Policies view > Threat Prevention > Exceptions.
-
Click Add Exception > Below.
-
Give a name to the rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. -
In the Protected Scope column:
-
Click the "Plus" (+) button.
-
In the window that opens, go to Import > Updatable Objects.
-
Search for Zero Phishing Bypass and select it.
-
Click OK.
-
-
In the Protection/Site/File/Blade column:
-
Click the "Plus" (+) button.
-
From the drop-down menu in the window that opens, select Blades.
-
From the list of blades, select Zero Phishing.
-
-
In the Action column, select Inactive.
-
Install Policy.
|
|
Notes -
|
The list of bypassed sites dynamically changes. To see the list, go to sk179726.