Threat inspection settings
Threat categories policy processing performs deep packet inspection and threat detection on inbound and outbound traffic routed through Private Access to block suspicious traffic, based on the block level you define.
The threat categories table lists categories of malicious traffic. For each category, use the Block level slider to define how potentially malicious traffic in that category is treated. Click Save when you have finished.
- None (take no action): traffic is inspected and logged. Traffic may be blocked if found to match a different threat category.
- Known (block known threats only): known threats are blocked. There is a low risk of false positives.
- Probable (block known and probable threats): known and probable threats are blocked. There is a moderate risk of false positives.
- Suspected (block known, probable, and suspected threats): known threats, probable threats, and suspected threats are blocked. There is an increased risk of false positives.
- All: all traffic that matches the threat category is blocked.
For some threat categories, a toggle switch can be set to:
- Block all: all traffic that matches the category is blocked.
- Take no action: traffic is inspected and logged. Traffic may be blocked if found to match a different threat category.
False positives
False positives occur when traffic is incorrectly detected as suspicious, and blocked, when no threat exists. For each category, Forcepoint recommends a default block level that provides a high level of security while minimizing the risk of false positives. Any threat detection policy is a balance between identifying threats and minimizing false positives. Lower block levels allow more potentially suspicious traffic while lowering the risk of false positives; higher block levels will stop more potentially suspicious traffic, but increase the risk of false positives.