Threat protection is comprised of the Sourcefire® SNORT® intrusion detection engine and AMP anti-malware technology. These features require an Advanced Security license.
Malware detection screens the incoming and outgoing HTTP traffic for malware, trojan horses and phishing websites. Threats are detected and blocked based on either the URL or a signature triggered by the content.
You can enable Threat protection by setting the Scanning option to Enabled under the Malware detection section in Security Appliance > Configure > Threat protection.
When traffic is filtered, the URL or ID and the action taken are logged in the Security Center.
Occasionally the MX appliance may block a file or a URL that is deemed safe by the administrator. In that case, you can tell MX to allow the download of the content or web page by whitelisting the content.
Find the URL that was blocked in the Event log page and enter it in the Whitelisted URLs section to allow that URL in the future.
Intrusion detection feeds all packets flowing between the LAN and Internet interfaces and in-between VLANs through the SNORT® intrusion detection engine and logs the generated alerts to the Security Report. You can also export these alerts via Syslog.
Intrusion prevention blocks traffic that is identified as malicious, rather than just generating alerts for it.
You can enable intrusion detection by setting the Detection option to Enabled under Security Appliance > Configure > Threat protection. When enabling intrusion detection, there are three distinct detection rulesets to choose from using the Ruleset selector:
The Balanced ruleset will be selected by default.
You can enable intrusion prevention by setting the Prevention option to Enabled under Security Appliance > Configure > Threat protection. Traffic will be automatically blocked if it as detected as malicious based on the detection ruleset specified above.
You can whitelist specific SNORT® signatures by clicking Whitelist an IDS signature. Any signatures for which matching traffic has been seen by the appliance will appear in the Select an Option drop-down so that you can select which signature or signatures you wish to whitelist.
Once Threat protection is enabled, the Security Report will be accessible via Security Appliance > Monitor > Security center. The report provides you with a graphical representation of Intrusion Detection events in your network.
The security threads are broken down by:
You can filter the security events by these categories.