Adding ThreatPrevetion exceptions by setting actio...

Tiger_QAs · ‎2021-02-02

Hello All,

I have a question regarding addition of exceptions to a Threat Prevention policy on perimeter gateways.

BackGround:
Few servers are running DNS queries to external honeypot site and not all of them are getting prevented by Anti-Bot, Few logs show "Detect" too.

I would like to write an exception on TP policy and set the action to "Prevent", I want to try it to eliminate the possibility of any false negatives. (Refer to the attached image for the exception rule that I wanted to try)

My question is : Is it normal to write TP exceptions and set action to prevent ?

Cyber_Serge · ‎2021-02-02

I think for the DNS Query, if you configure DNS Trap, it will show "Detect" instead of "Prevent". So seeing "detect" for those might be normal, depend on your setting.

Tiger_QAs · ‎2021-02-16

Thanks a lot for the response @Cyber_Serge

Timothy_Hall · ‎2021-02-17

Yes, support for TP exceptions with an action of Prevent (instead of the usual Detect or Inactive) was added in R80.10.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Are you a member of CheckMates?

Adding ThreatPrevetion exceptions by setting action to PREVENT to eliminate possibility of FalseNegs