Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating Threat Prevention Policies

 

To access this page, select Configure>Threat Prevention > Policy.

You can create threat prevention policies from the policy page.

Note

If you are creating policies for the first time, you are given the option of setting up Policy Enforcer with Sky ATP or configuring Sky ATP alone. Clicking either button takes you to quick setup for your selection. See Comparing the SDSN and non-SDSN Configuration Steps for a configuration comparison.

  • Determine the type of profile you will use for this policy; command & control server, infected hosts, malware. You can select one or more threat profiles in a policy. Note that you configure Geo IP policies separately. See Creating Geo IP Policies.

  • Determine what action to take if a threat is found.

  • Know what policy enforcement group you will add to this policy. To apply the policy, you must assign one or more policy enforcement groups. See the instructions for assigning groups to policies at the bottom of this page.

  • Once policies are configured with one more groups assigned, you can save a policy in draft form or update it. Policies changes do not go live until they have been updated.

  • If you are using Sky ATP without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. See the instructions at the bottom of this page.

  • If you delete a threat prevention policy that is assigned to a policy enforcement group, a status screen appears displaying the progress of the deletion and the affected configuration items.

To create a threat prevention policy:

  1. Select Configure>Threat Prevention > Policy.
  2. Click the + icon.

    The Create Threat Prevention Policy page appears.

  3. Complete the configuration by using the guidelines in theTable 1, Table 2, Table 3, Table 4, and Table 5 below.
  4. Click OK.

Table 1: Fields on the Threat Prevention Policy Page

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.

Description

Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

Log Setting (Policy setting for all profiles)

Select the log setting for the policy. You can log all traffic, log only blocked traffic, or log no traffic.

Table 2 shows the management of command and control server threat in a policy.

Table 2: C&C Server Profile Management

Field

Description

Command and Control Server

Select and choose settings for command and control servers. A C&C is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.

Include C& C profile in policy

Select the check box to include management for this threat type in the policy.

Threat Score

Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. Refer to the monitoring pages in the UI to investigate, located under Monitor > Threat Management.

Actions

If the threat score is high enough to cause a connection to be blocked, you have following configurable options:

  • Drop connection silently (This is the default and recommended setting.)

  • Close connection and do not send a message

    • Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped.

    • Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.

Table 3 shows the management of infected host threat in a policy.

Table 3: Infected Host Profile Management

Field

Description

Infected Host

Infected hosts are systems for which there is a high confidence that attackers have gained unauthorized access. Infected hosts data feeds are listed with the IP address or IP subnet of the host, along with a threat score.

Include infected host profile in policy

Select the check box to include management for this threat type in the policy.

Note: If you want to enforce an infected host policy within the network, you must include a switch in the site.

Actions

You have following options:

  • Drop connection silently (This is the default and recommended setting.)

  • Quarantine—In the field provided, enter a VLAN to which quarantined files are sent. (Note that the fallback option is to block and drop the connection silently.)

Table 4 shows the management of malware threat in a policy.

Table 4: Malware Threat Profile Management

Field

Description

Malware (HTTP file download, SMTP File attachment, and IMAP attachments)

Malware is files that are downloaded by hosts or received as email attachments and found to be suspicious based on known signatures, URLs. or other heuristics.

Include malware profile in policy

Select the check box to include management for this threat type in the policy.

HTTP file download

Turn this feature on to scan files downloaded over HTTP and then select a file scanning device profile. The device profile is configured using Sky ATP.

Scan HTTPS

Turn this feature to scan encrypted files downloaded over HTTPS.

Device Profile

Select a Sky ATP device profile. This is configured through Sky ATP. Sky ATP profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together under a common name and create multiple profiles based on the content you want scanned.

Actions

If the threat score is high enough to cause a connection to be blocked, you have following configurable options:

  • Drop connection silently (This is the default and recommended setting.)

  • Close connection and do not send a message

    • Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped.

    • Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.

SMTP File Attachments

Turn this feature on to inspect files received as email attachments (over SMTP only).

Scan SMTPS

Enable this option to configure reverse proxy for SMTP.

The reverse proxy does not prohibit server certificates. It forwards the actual server certificate or chain as is to the client without modifying it.

Device Profile

If you do not click the Change button to select a device profile for SMTP scanning, the device profile selected for HTTP will be used by default.

Select Change to use a different device profile for SMTP.

Device profiles are configured through Sky ATP and define which files to send to the cloud for inspection.

Threat Score

Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. This threat score applies to all malware, HTTP and SMTP. (Note: There is no monitoring setting for malware.)

Actions

Actions for SMTP File Attachments include: Quarantine, Deliver malicious messages with warning headers added, and Permit. This actions are set in Sky ATP. Refer to the Sky ATP documentation for information.

IMAP Attachments

Turn this feature on to select a a file scanning device profile and threat score ranges to apply to IMAP e-mails.

Scan IMAPS

Enable this option to configure reverse proxy for IMAP e-mails.

Device Profile

If you do not click the Change button to select a device profile for IMAP scanning, the device profile selected for HTTP will be used by default.

Select Change to use a different device profile for IMAP.

Device profiles are configured through Sky ATP and define which files to send to the cloud for inspection.

Actions

Actions for IMAP Attachments include: Block, Deliver malicious messages with warning headers added, and Permit. This actions are set in Sky ATP. Refer to the Sky ATP documentation for information.

Threat Score

Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. This threat score applies to all malware, HTTP, SMTP, and IMAP. (Note: There is no monitoring setting for malware.)

Table 5 shows the management of DDoS threat in a policy

Table 5: DDoS Threat Profile Management

Field

Description

Include DDoS Profile in Policy

Enable this option to include the management of Distributed denial-of-service (DDoS) protection that enables the MX router to quickly identify an attack and prevent a flood of malicious control packets from exhausting system resources.

When you create a threat policy for the DDoS profile, it is not pushed to the device because the policy is not yet assigned to any device. Assign the policy to the policy enforcement group. Because the policy is created for the MX router, rule analysis is not initiated when a policy is assigned to the policy enforcement group (PEG).

Actions

Select the following actions from the list for the DDoS profile:

  • Block—Use this option to block the DDoS attack.

  • Rate Limit Value—Use this option to limit the bandwidth on the flow route. You can express the rate limit value in Kbps, Mbps, or Gbps units. The rate limit range is 10Kbps to 100Gbps.

  • Forward to—Use this option to configure the routing next hop to forward the packets for scrubbing.

Scrubbing Site

Specify a routing instance to which packets are forwarded in the as-number:community-value format, where each value is a decimal number. For example, 65001:100.

Once you have a threat prevention policy, you assign one or more groups to it:

  1. In the threat prevention policy main page (located under Configure>Threat Prevention > Policy), find the appropriate policy.
  2. In the Groups column, click the Assign to Groups link that appears here when there are no policy enforcement groups assigned or click the group name that appears in this column to edit the existing list of assigned groups. You can also select the check box beside a policy and click the Assign to Groups button at the top of the page. See Policy Enforcement Groups Overview .
  3. In the Assign to Groups page, select the check box beside a group in the Available list and click the > icon to move it to the Selected list. The groups in the Selected list will be assigned to the policy.
  4. Click OK.
  5. Once one or more policy enforcement groups have been assigned, a Ready to Update link appears in the Status column. You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.
  6. If you are using Sky ATP without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. Navigate to Configure > Firewall Policy > Policies. In the Advanced Security column, click an item to access the Edit Advanced Security page and select the threat prevention policy from the Threat Prevention pulldown list.