Threat Prevention

From Edge Threat Management Wiki - Arista
Revision as of 22:59, 21 January 2020 by Bcarmichael (talk | contribs)
Jump to navigationJump to search

    Threat Prevention
Other Links:
Threat Prevention Description Page
Threat Prevention Demo
Threat Prevention Forums
ThreatPrevention Reports
ThreatPrevention FAQs




About ThreatPrevention

ThreatPrevention provides traditional threatprevention functionality, blocking and/or flagging traffic based on rules.

The term "ThreatPrevention" has grown to encompass many functionalities and has a wide array of meanings. The "threatprevention" is often use interchangeably with "router" "gateway" and "UTM" or "Unified Threat Management" Even the Untangle NGFW is a "next-gen" "threatprevention." There are also host-based "threatpreventions" that run on the local host computer.

The "ThreatPrevention" app itself is a traditional threatprevention used to block and/or flag TCP and UDP sessions passing through Untangle using rules. The ThreatPrevention app provides the same functionality as the traditional "threatprevention" - the ability to use rules to control which computers and communicate on a network.


Settings

This section reviews the different settings and configuration options available for ThreatPrevention.


Status

This displays the current status and some statistics.


Rules

The Rules tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.

The Rules documentation describes how rules work and how they are configured. ThreatPrevention uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.

Typically Untangle is installed as a NAT/gateway device, or behind another NAT/gateway device in bridge mode. In this scenario all inbound sessions are blocked by NAT except those explicitly allowed with port forwards. Because of this, the ThreatPrevention does not block anything by default. It is up to you to decide to best fit for your network, whether you only want to block specific ports or you want to block everything and allow only a few services.


Rule Actions

  • Pass: Allows the traffic which matched the rule to flow.
  • Block: Blocks the traffic which matched the rule.

Additionally a session can be flagged. If Flag is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.


Reports

ThreatPrevention Reports


Related Topics

User Guide


ThreatPrevention FAQs

ThreatPrevention FAQs