You can configure how Gateway detects and reacts to threats in various ways. When you configure your access control list (ACL) rules to allow access to destinations, Gateway can still block the user from accessing the destination if a potential threat is identified. You can also control the information that can be displayed in the Network Events screen and Alerts view and what is sent to the SIEM solution or syslog server, if configured. To enable the additional network protection, ensure that each ACL rule also has the "Check addresses against Network Protection" parameter selected. This setting is enabled by default.

• Signature detection: You can use signature detection to enable deep network threat detection using the network connection’s signatures. When signature detection is enabled, Gateway automatically blocks connections where threats are detected if the ACL rule matches the destination and checks the network protection. When signature detection is disabled, threats are logged but the connection is not blocked. For more information on a list of detections and their actions, see viewing network activity. Signature detection is enabled by default.
• Destination protection: You can use destination reputation to block potentially malicious IP addresses and FQDNs that match the risk level that you specify (low, medium, or high). When enabled, the default risk level is high. Gateway logs and automatically blocks connections to the destinations that match the set risk level when the destination matches the ACL rule and checks the network protection. When destination protection is disabled, threats are logged but the connection is not blocked. For more information on a list of detections and their actions, see viewing network activity. Destination reputation is enabled by default.
  Risk levels use a combination of machine learning (ML) models and static IP reputation database to determine if a destination might contain potential threats.

  • ML models: The ML models assign a confidence level to destinations that your users might access. ML models continuously learn whether a destination might contain potential threats.
  • IP reputation databases: The IP reputation database provides a confidence level to IP addresses from open and commercial IP reputation feeds. Gateway references the reputation feeds to determine the risk level of an IP address. Gateway considers the number of vendors that have convicted a specific destination and the dependability of the sources before it assigns a risk level (for example, if the majority of sources and IP reputation engines identify a destination to contain potential threats, Gateway will assign the destination a risk level of high. For more information on the risk levels, see Destination reputation risk threshold. 

  Gateway automatically applies the Dynamic Risk category and a subcategory to IP Reputation detections that have been identified to possibly contain malicious threats using a combination of ML models and IP Reputation database. The databases continuously change to add or remove destination entries. You can view additional metadata and details for network events categorized as Dynamic Risk on the Network Events screen. The Dynamic Risk category includes the following subcategories:

  Beacon Command and control DNS Tunneling

  Malware Phishing Potentially Harmful

  Suspicious Website Domain Generation Algorithm (DGA)