Threat inspection for private application traffic
Private Access performs deep packet inspection to detect and block threats and suspicious traffic. A medium security threat inspection level that blocks known and probable threats is recommended by Forcepoint and is configured by default.
Threat inspection is applied to all inbound and outbound private application traffic, where:
- The TLS inspection setting is set to Decrypt
- The rule action is set to Continue inspection
| Category | Description | Default block level |
|---|---|---|
| Attack-related anomalies | Network traffic typically seen prior to or following an attack. | Known and probable |
| Compromises and successful attacks | Attacks designed to exploit known vulnerabilities or traffic patterns associated with attempts to gain unauthorized access to a system through bypassing normal security mechanisms. | Known and probable |
| Denial of service | Attacks designed to overwhelm the network, servers, and associated services in order to deny service to legitimate users. | Known and probable |
| Disclosure | Attacks designed to leak sensitive and confidential information including user names, source code, directory, configuration, and file contents. | Known and probable |
| Probe | Scanning activity designed to gather intelligence and identify vulnerabilities. | Known and probable |
| Botnet | Botnet traffic typically indicating that malware has been installed, allowing remote control of the device to steal data or use it as a launch pad for further attacks | Known and probable |
| Malicious routing | Attacks that attempt to misuse network protocols to avoid or bypass security filters. | Block all |
| Spyware, malware, and adware | Services that are known to demonstrate malicious or undesirable behavior. Includes downloading of unauthorized software that can lead to further compromise. | Block all |
| Protocol violations | Enforces strict compliance for a variety of protocols including TCP, HTTP, DNS, and others. May come with an increased risk of false positives if enabled. | Take no action |
| Other suspicious traffic | Uncategorized suspicious traffic that does not conform to normal usage. May come with an increased risk of false positives if enabled. | Take no action |