Creating Threat Prevention Policies

To access this page, select Configure>Threat Prevention > Policy.

You can create threat prevention policies from the policy page.

Note: If you are creating policies for the first time, you are given the option of setting up Policy Enforcer with Sky ATP or configuring Sky ATP alone. Clicking either button takes you to quick setup for your selection. See Comparing the SDSN and non-SDSN Configuration Steps for a configuration comparison.

Before You Begin

Determine the type of profile you will use for this policy; command & control server, infected hosts, malware. You can select one or more threat profiles in a policy. Note that you configure Geo IP policies separately. See Creating Geo IP Policies.
Determine what action to take if a threat is found.
Know what policy enforcement group you will add to this policy. To apply the policy, you must assign one or more policy enforcement groups. See the instructions for assigning groups to policies at the bottom of this page.
Once policies are configured with one more groups assigned, you can save a policy in draft form or update it. Policies changes do not go live until they have been updated.
If you are using Sky ATP without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. See the instructions at the bottom of this page.
If you delete a threat prevention policy that is assigned to a policy enforcement group, a status screen appears displaying the progress of the deletion and the affected configuration items.

Procedure

To create a threat prevention policy:

Select Configure>Threat Prevention > Policy.
Click the + icon.
The Create Threat Prevention Policy page appears.
Complete the configuration by using the guidelines in theTable 224, Table 225, Table 226, Table 227, and Table 228 below.
Click OK.

Table 324: Fields on the Threat Prevention Policy Page

Field	Description
Name	Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.
Description	Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.
Log Setting (Policy setting for all profiles)	Select the log setting for the policy. You can log all traffic, log only blocked traffic, or log no traffic.

Table 225 shows the management of command and control server threat in a policy.

Table 325: C&C Server Profile Management

Field	Description
Command and Control Server	Select and choose settings for command and control servers. A C&C is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.
Include C& C profile in policy	Select the check box to include management for this threat type in the policy.
Threat Score	Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. Refer to the monitoring pages in the UI to investigate, located under Monitor > Threat Management.
Actions	If the threat score is high enough to cause a connection to be blocked, you have following configurable options: Drop connection silently (This is the default and recommended setting.) Close connection and do not send a message Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped. Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.

Table 226 shows the management of infected host threat in a policy.

Table 326: Infected Host Profile Management

Field	Description
Infected Host	Infected hosts are systems for which there is a high confidence that attackers have gained unauthorized access. Infected hosts data feeds are listed with the IP address or IP subnet of the host, along with a threat score.
Include infected host profile in policy	Select the check box to include management for this threat type in the policy. Note: If you want to enforce an infected host policy within the network, you must include a switch in the site.
Actions	You have following options: Drop connection silently (This is the default and recommended setting.) Quarantine—In the field provided, enter a VLAN to which quarantined files are sent. (Note that the fallback option is to block and drop the connection silently.)

Field

Description

Infected Host

Infected hosts are systems for which there is a high confidence that attackers have gained unauthorized access. Infected hosts data feeds are listed with the IP address or IP subnet of the host, along with a threat score.

Include infected host profile in policy

Select the check box to include management for this threat type in the policy.

Note: If you want to enforce an infected host policy within the network, you must include a switch in the site.

Actions

You have following options:

Drop connection silently (This is the default and recommended setting.)
Quarantine—In the field provided, enter a VLAN to which quarantined files are sent. (Note that the fallback option is to block and drop the connection silently.)

Table 227 shows the management of malware threat in a policy.

Table 327: Malware Threat Profile Management

Field	Description
Malware (HTTP file download, SMTP File attachment, and IMAP attachments)	Malware is files that are downloaded by hosts or received as email attachments and found to be suspicious based on known signatures, URLs. or other heuristics.
Include malware profile in policy	Select the check box to include management for this threat type in the policy.
HTTP file download	Turn this feature on to scan files downloaded over HTTP and then select a file scanning device profile. The device profile is configured using Sky ATP.
Scan HTTPS	Turn this feature to scan encrypted files downloaded over HTTPS.
Device Profile	Select a Sky ATP device profile. This is configured through Sky ATP. Sky ATP profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together under a common name and create multiple profiles based on the content you want scanned.Device Profiles Overview.
Actions	If the threat score is high enough to cause a connection to be blocked, you have following configurable options: Drop connection silently (This is the default and recommended setting.) Close connection and do not send a message Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped. Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.
SMTP File Attachments	Turn this feature on to inspect files received as email attachments (over SMTP only).
Scan SMTPS	Enable this option to configure reverse proxy for SMTP. The reverse proxy does not prohibit server certificates. It forwards the actual server certificate or chain as is to the client without modifying it.
Device Profile	If you do not click the Change button to select a device profile for SMTP scanning, the device profile selected for HTTP will be used by default. Select Change to use a different device profile for SMTP. Device profiles are configured through Sky ATP and define which files to send to the cloud for inspection.
Threat Score	Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. This threat score applies to all malware, HTTP and SMTP. (Note: There is no monitoring setting for malware.)
Actions	Actions for SMTP File Attachments include: Quarantine, Deliver malicious messages with warning headers added, and Permit. This actions are set in Sky ATP. Refer to the Sky ATP documentation for information.
IMAP Attachments	Turn this feature on to select a a file scanning device profile and threat score ranges to apply to IMAP e-mails.
Scan IMAPS	Enable this option to configure reverse proxy for IMAP e-mails.
Device Profile	If you do not click the Change button to select a device profile for IMAP scanning, the device profile selected for HTTP will be used by default. Select Change to use a different device profile for IMAP. Device profiles are configured through Sky ATP and define which files to send to the cloud for inspection.
Actions	Actions for IMAP Attachments include: Block, Deliver malicious messages with warning headers added, and Permit. This actions are set in Sky ATP. Refer to the Sky ATP documentation for information.
Threat Score	Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. This threat score applies to all malware, HTTP, SMTP, and IMAP. (Note: There is no monitoring setting for malware.)

Table 228 shows the management of DDoS threat in a policy

Table 328: DDoS Threat Profile Management

Field	Description
Include DDoS Profile in Policy	Enable this option to include the management of Distributed denial-of-service (DDoS) protection that enables the MX router to quickly identify an attack and prevent a flood of malicious control packets from exhausting system resources. When you create a threat policy for the DDoS profile, it is not pushed to the device because the policy is not yet assigned to any device. Assign the policy to the policy enforcement group. Because the policy is created for the MX router, rule analysis is not initiated when a policy is assigned to the policy enforcement group (PEG).
Actions	Select the following actions from the list for the DDoS profile: Block—Use this option to block the DDoS attack. Rate Limit Value—Use this option to limit the bandwidth on the flow route. You can express the rate limit value in Kbps, Mbps, or Gbps units. The rate limit range is 10Kbps to 100Gbps. Forward to—Use this option to configure the routing next hop to forward the packets for scrubbing.
Scrubbing Site	Specify a routing instance to which packets are forwarded in the as-number:community-value format, where each value is a decimal number. For example, 65001:100.

Field

Description

Include DDoS Profile in Policy

Enable this option to include the management of Distributed denial-of-service (DDoS) protection that enables the MX router to quickly identify an attack and prevent a flood of malicious control packets from exhausting system resources.

When you create a threat policy for the DDoS profile, it is not pushed to the device because the policy is not yet assigned to any device. Assign the policy to the policy enforcement group. Because the policy is created for the MX router, rule analysis is not initiated when a policy is assigned to the policy enforcement group (PEG).

Actions

Select the following actions from the list for the DDoS profile:

Block—Use this option to block the DDoS attack.
Rate Limit Value—Use this option to limit the bandwidth on the flow route. You can express the rate limit value in Kbps, Mbps, or Gbps units. The rate limit range is 10Kbps to 100Gbps.
Forward to—Use this option to configure the routing next hop to forward the packets for scrubbing.

Scrubbing Site

Specify a routing instance to which packets are forwarded in the as-number:community-value format, where each value is a decimal number. For example, 65001:100.

Procedure

Once you have a threat prevention policy, you assign one or more groups to it:

In the threat prevention policy main page (located under Configure>Threat Prevention > Policy), find the appropriate policy.
In the Groups column, click the Assign to Groups link that appears here when there are no policy enforcement groups assigned or click the group name that appears in this column to edit the existing list of assigned groups. You can also select the check box beside a policy and click the Assign to Groups button at the top of the page. See Policy Enforcement Groups Overview .
In the Assign to Groups page, select the check box beside a group in the Available list and click the > icon to move it to the Selected list. The groups in the Selected list will be assigned to the policy.
Click OK.
Once one or more policy enforcement groups have been assigned, a Ready to Update link appears in the Status column. You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.
If you are using Sky ATP without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. Navigate to Configure > Firewall Policy > Policies. In the Advanced Security column, click an item to access the Edit Advanced Security page and select the threat prevention policy from the Threat Prevention pulldown list.

Creating Threat Prevention Policies

Before You Begin

Procedure

Procedure

Related Documentation

Help us to improve. Rate this article.