Threat Prevention Policy

The Threat Prevention Policy configures the Anti-Virus, Anti-Bot, and Threat Emulation settings for a set of activated protections and instructions for how to handle traffic inspection that matches activated protections. Protections help manage the threats against the network.

Set protection activation:

  • Confidence level - How confident the Software Blade is that recognized attacks are actually bot traffic or malicious files. Some attack types are more subtle than others and legitimate traffic is sometimes mistakenly recognized as a threat. The higher the Confidence level of a protection, the more confident Check Point is that recognized attacks are indeed attacks. Lower Confidence levels indicate that some legitimate traffic may be identified as an attack.

  • Protection action - The action that the gateway enforces on matching traffic. Notifications for these actions are set based on the defined tracking option (none, logged, or logged with an alert).

    • Prevent - Blocks identified bot traffic.

    • Detect - Allows identified bot traffic to pass through the gateway, but detects and logs it.

    • Ask - Traffic is blocked until the user confirms that it is allowed. To configure the user message, see the Threat Prevention > Engine Settings page.

    • Inactive - The protection is deactivated.

  • Performance impact - Indicates the impact level on gateway performance

You can override the Threat Prevention Policy settings in a plan for a specified gateway. You must first unlock the Threat Prevention Policy from the plan.

Anti-Virus and Anti-Bot are supported on R77.20 and higher gateways. Threat Emulation is supported only for 700/1400/1200R appliances with version R77.20.51 and higher.

To configure the Threat Prevention Policy settings of a plan:

  1. Go to Home > Plans.

  2. Click the plan name.

    The Edit page opens.

  3. Click Security Software Blades > Threat Prevention.

  4. Select Manage in SMP.

  5. Select On.

  6. Set Threat Prevention Policy protection settings for the Threat Prevention Anti-Virus, Anti-Bot, and Threat Emulation Software Blades.

    • High, Medium, and Low confidence

    • Performance impact

    • Tracking options

  7. Click Save.

To override the Threat Prevention Policy settings set by a plan:

  1. Go to Home > Gateways.

  2. Click the gateway name.

    The Edit page opens.

  3. Click Security Software Blades > Threat Prevention.

  4. If the Threat Prevention Policy settings are locked, click Unlock from plan.

  5. To stop remote management of the blade, clear Manage in SMP.

  6. Make necessary changes.

  7. Click Save.

To connect to the appliance:

  1. Go to Home > Gateways.

  2. Click the gateway name.

    The Edit page opens.

  3. Click Security Software Blades > Threat Prevention.

  4. Click Access Gateway: Threat Prevention.

    A browser page opens and shows the progress of the SMP connection to the gateway. The appliance opens on the Threat Prevention Policy page. You can now update the local appliance.

    Note - If a local administrator is already logged in to the appliance, click OK to override that connection. Click Cancel to cancel your login attempt.