Configuring Zero Phishing Settings - Custom Threat Prevention
Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. uses two main engines:
-
Real-time phishing prevention based on URLs.
-
In-Browser Zero Phishing.
For more information about these two engines, see The Check Point Threat Prevention Solution.
For information on how to enable Zero Phishing, see Getting Started with Custom Threat Prevention.
To disable the Zero Phishing protection:
-
In SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention > Custom Threat Prevention > Custom Policy Tools > Profiles. -
Select the required profile.
-
In the General Policy page, clear Zero Phishing
To disable In-browser Zero Phishing:
-
In SmartConsole, go to Security Policies > Threat Prevention > Custom Threat Prevention > Custom Policy Tools > Profiles.
-
Select the required profile.
-
In the profile, go to the Zero Phishing page.
-
Clear the In-browser Zero Phishing checkbox.
Limitations:
-
In-browser Zero Phishing does not support Internet Explorer.
-
In-browser Zero Phishing does not support mirrored traffic (Mirror Port, Span Port, Tap mode).
You can block or allow sites that the Cloud Service is unable to classify as Phishing or Benign.
To block unclassified sites, run this command on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. CLI:
|
|
To allow unclassified sites (default), run this command on the Security Gateway CLI:
|
zph att set inbrowser_block_unclassified_sites 0 |
Configuring Zero Phishing UserCheck Settings
Here you can select the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that appears in case of a suspected phishing attempt.
Prevent - Select the UserCheck message that opens for the Prevent action. The default message is Zero Phishing Blocked.
You can create your own UserCheck messages for the Prevent action and configure their settings. To do this , go to Security Policies > Threat Prevention > Custom Threat Prevention > Custom Policy Tools > UserCheck, and in the UserCheck page, click New. For more information, see UserCheck in the Threat Prevention Policy.
Configuring Zero Phishing Exceptions
To skip unnecessary scans of popular sites, we recommend to configure the Zero Phishing Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. to bypass specific popular sites.
To configure the Zero Phishing blade to bypass popular sites:
-
In SmartConsole, go to the Security Policies view > Threat Prevention > Exceptions.
-
Click Add Exception > Below.
-
Give a name to the rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. -
In the Protected Scope column:
-
Click the "Plus" (+) button.
-
In the window that opens, go to Import > Updatable Objects.
-
Search for Zero Phishing Bypass and select it.
-
Click OK.
-
-
In the Protection/Site/File/Blade column:
-
Click the "Plus" (+) button.
-
From the drop-down menu in the window that opens, select Blades.
-
From the list of blades, select Zero Phishing.
-
-
In the Action column, select Inactive.
-
Install the Threat Prevention Policy.
|
|
Notes:
|
The list of bypassed sites dynamically changes. To see the list, go to sk179726.
Configuring Zero Phishing on the Security Gateway
On the Security Gateway object, you can configure the Security Gateway FQDN which is required for the Zero Phishing in-browser functionality (In case you did not configure the Security Gateway FQDN in the Zero Phishing First Time Configuration Wizard).
Select one of these two options:
-
Use automatic settings (recommended)
When you enable Zero Phishing with the automatic settings, a new interface is created in the Security Gateway infrastructure in Gaia
Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems., called tp_dummyortp_dummy_X(for VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts.). This is a dummy interface which is intentionally isolated from external access. This interface has a constant IP address and allows Zero Phishing clients to communicate with the Security Gateway. When automatic settings are used, the client communicates with the Security Gateway using the FQDN :zero-phishing.iaas.checkpoint.com.Automatic configuration additionally resolves the challenge of private network accessibility that arises during the inspection of HTTP pages for customers who manually added an FQDN which resolves to an IP address within the private address space.
-
Gateway FQDN (Fully Qualified Domain Name)
If you select this option, make sure that the FQDN is registered in the DNS records of your DNS server.
Accessibility
Select the interfaces through which users an access the Zero Phishing portal. The default setting is All Interfaces.
Starting from R82 Jumbo Hotfix Accumulator Take 103 with R82 SmartConsole Releases Take 1065, the default setting is Internal interfaces -.