Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Samphas1
Participant

Security Logs

Hi CP,

 

I'm concerning with the logs between Attack Allowed by Policy and Prevented Attacked. Could you please explain me how are different ?

Log_Policy.PNG

0 Kudos
27 Replies
Chris_Atkinson
Employee Employee
Employee

The above will typically correspond with events who's action is Detect vs Prevent.

Often this is a configuration/policy decision on the part of the administrator for blades or protections.

CCSM R77/R80/ELITE
Samphas1
Participant

Hi @Chris_Atkinson If the action is Detect it mean we allow the connection came into the environment ?  And there is any impact or high risk with this action ?

0 Kudos
PhoneBoy
Admin
Admin

The Detect action means: it was allowed into the environment due to the specific Threat Prevention profile configuration.
The precise risk depends on what it was that was detected.
A Prevent or Block means it was prevented.

the_rock
Legend
Legend

I agree with Chris. If you look at the top and what it says there, it indicates "attacks allowed by policy", so definitely referring to detect vs prevent.

Samphas1
Participant

Hi @the_rock ,

If the "Attacks allowed by policy " what will impact to the environment ?

Chris_Atkinson
Employee Employee
Employee

As @PhoneBoy indicated it depends on the specific configuration and the event that was detected.

For example the "Strict" TP profile versus "Optimized" each have different criteria based on confidence/impact/severity  and enabled blades.

The objective here is to achieve a balance between security/performance/false positives relative to your environment and what assets you are protecting.

TP Criteria.PNG

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant

If the change all policy to prevent type what it will impact or not ? And what is the best practice and recommendation ?

Chris_Atkinson
Employee Employee
Employee

Generalization: Prevent catch-rate will increase at the expense of performance (particularly if you adjust the active protection parameters or enable additional blades).

Optimized profile is typically a good place to start then you can clone and tune it further per your own requirements.

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant

Could you please explain me more how are different between the Optimized and Strict Action ?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

More protections will be active in the "Strict" profile.

 

Optimized.pngStrict.png

 

 

 

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant

The screenshot below action is Detect mean that Anti-Virus software blade not protection and allow the connection. Am I right ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Reason is that you enabled background classification mode, see sk74120. But this SK is not found...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant

If the Anti-Bot action in Detect mode it mean host that infected will be have the community  between host in internal environment and C&C server. And what it will be high risk ? Please advice me if am I wrong 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

It is that you enabled background classification mode !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant

Please refer to my question there will be high risk if the connection was allow from internal environment to C&C server ?

0 Kudos
Samphas1
Participant

Capture.PNG

* Update picture for last previous question.

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Detect in this context means it was obsevered and not prevented based on the profile settings.

Please expand one of the line/log entries and we can help explain it better for you.

(Mask / redact sensitive parts as required).

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant

Hi @Chris_Atkinson ,

Could you please check the detail log below picture and  help explain .

Anti-Bot-1.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee

detail.png

 

Which version Gateway/Management generated this log?

Also for awareness on a semi-related note, per the release notes for R81 (and above) we modified the Anti-bot Malware DNS trap behavior:

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant

Hi @Chris_Atkinson  We are using version R81.10 for both Gateway and Management. Base on the my previous picture you mean Security Gateway is prevented user from reaching malicious sites? 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

It's a slightly different use case than the log you've provided and not relevant here based on version (sorry for the confusion).

In your case the reason for this specific case is displayed as shown in the log card (highlighted in yellow).

Others may have the same cause or again be based on the profile configuration parameters. 

See also: sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, ...

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant

Hi @Chris_Atkinson,

What are the best practice and recommendation for Classification mode?

Classification Mode.PNG

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Simply - "Hold" is more secure and "Background" favors better end user experience.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend

If the protection is on Detect already, Prevent will not cost more performance. I tend to use inactive for low confidence instead of detect...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

From a "work" standpoint, Prevent and Detect require the same amount of work. 
Detect ultimately still allows the traffic, which means it still continues to process the traffic.
That means Detect could actually end up requiring more work in the end...

0 Kudos
Timothy_Hall
Legend Legend
Legend

Yep Detect causes more overhead than Prevent, and in some cases much more.  Here is an excerpt from my new R81.20 Gateway Performance Optimization 2-day course discussing this topic:

 

preventdetect.png

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

You definitely got all the logical answers, so I would stick with optimized profile as Chris said, cant go wrong.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events