Security Intelligence Options

Use the Security Intelligence tab in the access control policy editor to configure network (IP address) and URL Security Intelligence, and to associate the access control policy with a DNS policy in which you have configured Security Intelligence for domains.

Available Objects

Available objects include:

• Security Intelligence categories populated by the system-provided feed.

  For details, see Security Intelligence Categories.

• System-provided Global Block and Do Not Block lists.

  For descriptions, see Security Intelligence Sources.

• Security Intelligence lists and feeds that you create under Object > Object Management > Security Intelligence.

  For descriptions, see Security Intelligence Sources.

• Network and URL objects and groups that are configured on the respective pages under Object > Object Management. These are different from the Security Intelligence objects in the previous bullet.

  For details about network objects, see Network. (For URLs, use Security Intelligence lists or feeds rather than objects or groups.)

Available Zones

Except for the system-provided Global lists, you can constrain Security Intelligence filtering by zone.

For example: To improve performance, you may want to target enforcement. As a more specific example, you can block spam only for a security zone that handles email traffic.

To enforce Security Intelligence filtering for an object on multiple zones, you must add the object to the Block or Do Not Block list separately for each zone.

DNS Policy

In order to match DNS traffic using Security Intelligence, you must select a DNS policy for your Security Intelligence configuration.

Using Block or Do Not Block lists, or monitoring traffic based on a DNS list or feed, also requires that you:

• Configure DNS Security Intelligence lists and feeds. See Security Intelligence.

• Create a DNS policy. See Creating Basic DNS Policies for more information.

• Configure DNS rules that reference your DNS lists or feeds. See Creating and Editing DNS Rules for more information.

• Because you deploy the DNS policy as part of your access control policy, you must associate both policies. See DNS Policy Deploy for more information.

Do Not Block List

See Override Security Intelligence Blocking.

To select all objects in the list, right-click an object.

Block List

See Configuration Example: Security Intelligence Blocking and other topics in this chapter.

For explanations of the visual indicators in the Block list, see Block List Icons.

To select all objects in the list, right-click an object.

Logging

Security Intelligence logging, enabled by default, logs all blocked and monitored connections handled by an access control policy’s target devices. However, the system does not log Do Not Block list matches; logging of connections on the Do Not Block list depends on their eventual disposition. Logging must be enabled for connections on the Block list before you can set objects on that list to monitor-only.

To enable, disable, or view logging settings, right-click an object in the Block list.