Threat Category Rules

Threat Categories policy processing performs deep packet inspection and threat detection on inbound and outbound traffic to block suspicious traffic, based on the block level you define.

The Threat Categories table lists categories of malicious traffic. For each category, use the Block Level slider to define how potentially malicious traffic in that category is treated. Click Save when you have finished.

The slider can be set to the following settings:

None (take no action): traffic is inspected and logged. Traffic may be blocked if found to match a different threat category.
Known (block known threats only): known threats are blocked. There is a low risk of false positives.
Probable (block known and probable threats): known and probable threats are blocked. There is a moderate risk of false positives
Suspicious (block known threats, probable threats, and suspicious traffic): known threats, probable threats, and suspicious traffic are blocked. There is an increased risk of false positives.
All: all traffic that matches the threat category is blocked.

False positives

False positives occur when traffic is incorrectly detected as suspicious, and blocked, when no threat exists. For each category, Forcepoint recommends a default block level that provides a high level of security while minimizing the risk of false positives. Any threat detection policy is a balance between identifying threats and minimizing false positives. Lower block levels allow more potentially suspicious traffic while lowering the risk of false positives; higher block levels will stop more potentially suspicious traffic, but increase the risk of false positives.