Hi @Chris_Atkinson If the action is Detect it mean we allow the connection came into the environment ?  And there is any impact or high risk with this action ?

The Detect action means: it was allowed into the environment due to the specific Threat Prevention profile configuration.
The precise risk depends on what it was that was detected.
A Prevent or Block means it was prevented.

Hi @the_rock ,

If the "Attacks allowed by policy " what will impact to the environment ?

As @PhoneBoy indicated it depends on the specific configuration and the event that was detected.

For example the "Strict" TP profile versus "Optimized" each have different criteria based on confidence/impact/severity  and enabled blades.

The objective here is to achieve a balance between security/performance/false positives relative to your environment and what assets you are protecting.

If the change all policy to prevent type what it will impact or not ? And what is the best practice and recommendation ?

Generalization: Prevent catch-rate will increase at the expense of performance (particularly if you adjust the active protection parameters or enable additional blades).

Optimized profile is typically a good place to start then you can clone and tune it further per your own requirements.

Could you please explain me more how are different between the Optimized and Strict Action ?

More protections will be active in the "Strict" profile.

The screenshot below action is Detect mean that Anti-Virus software blade not protection and allow the connection. Am I right ?

Reason is that you enabled background classification mode, see sk74120. But this SK is not found...

If the Anti-Bot action in Detect mode it mean host that infected will be have the community  between host in internal environment and C&C server. And what it will be high risk ? Please advice me if am I wrong 

It is that you enabled background classification mode !

Please refer to my question there will be high risk if the connection was allow from internal environment to C&C server ?

* Update picture for last previous question.

Detect in this context means it was obsevered and not prevented based on the profile settings.

Please expand one of the line/log entries and we can help explain it better for you.

(Mask / redact sensitive parts as required).

Hi @Chris_Atkinson ,

Could you please check the detail log below picture and  help explain .

Which version Gateway/Management generated this log?

Also for awareness on a semi-related note, per the release notes for R81 (and above) we modified the Anti-bot Malware DNS trap behavior:

• Log description change for DNS sinkhole trap - log is changed to Prevent instead of Detect , the Security Gateway  prevents users from reaching malicious sites.

• Source: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RN/Topics-RN/Software-Changes.htm 

Hi @Chris_Atkinson  We are using version R81.10 for both Gateway and Management. Base on the my previous picture you mean Security Gateway is prevented user from reaching malicious sites? 

It's a slightly different use case than the log you've provided and not relevant here based on version (sorry for the confusion).

In your case the reason for this specific case is displayed as shown in the log card (highlighted in yellow).

Others may have the same cause or again be based on the profile configuration parameters. 

See also: sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, ...

Hi @Chris_Atkinson,

What are the best practice and recommendation for Classification mode?

Simply - "Hold" is more secure and "Background" favors better end user experience.

If the protection is on Detect already, Prevent will not cost more performance. I tend to use inactive for low confidence instead of detect...

From a "work" standpoint, Prevent and Detect require the same amount of work. 
Detect ultimately still allows the traffic, which means it still continues to process the traffic.
That means Detect could actually end up requiring more work in the end...

Yep Detect causes more overhead than Prevent, and in some cases much more.  Here is an excerpt from my new R81.20 Gateway Performance Optimization 2-day course discussing this topic:

You definitely got all the logical answers, so I would stick with optimized profile as Chris said, cant go wrong.