Threat Categories
The threat category settings can be configured to apply allow, take no action, or block actions to the traffic.
The Firewall application performs deep packet inspection to detect, and block threats and suspicious traffic. A medium security threat inspection level that blocks known and probable threats is recommended by Forcepoint and is configured by default.
Threat inspection is applied to all inbound and outbound traffic, where:
- The TLS inspection setting is set to Decrypt.
- The rule action is set to Continue inspection.
The threat category table lists the following threat categories:
| Threat Category | Description | Default block level |
|---|---|---|
| Attack-related anomalies | Network traffic typically seen prior to or following an attack. | Known |
| Compromises and successful attacks | Attacks designed to exploit known vulnerabilities or traffic patterns associated with attempts to gain unauthorized access to a system through bypassing normal security mechanisms. | Known |
| Denial of service | Attacks designed to overwhelm the network, servers, and associated services in order to deny service to legitimate users. | Known |
| Disclosure | Attacks designed to leak sensitive and confidential information including user names, source code, directory, configuration, and file contents. | Known |
| Probe | Scanning activity designed to gather intelligence and identify vulnerabilities. | Known |
| Botnet | Botnet traffic typically indicating that malware has been installed, allowing remote control of the device to steal data or use it as a launch pad for further attacks. | Known |
| Invalid Packet | Malformed or invalid packets that are sometimes related to attacks or some packets that are dropped regardless of configuration because further processing of the packet is not possible. | None |
| Other suspicious traffic | Uncategorized suspicious traffic that does not conform to normal usage. May come with an increased risk of false positives if enabled. | None |