< Home

Verification and Check

This section describes the verification and check operations after the APT defense feature is configured.

Verification

After configuring the APT defense feature, you can do as follows to check the configuration result:

  1. Check the APT defense profile.

    Choose Object > Security Profiles > APT Defense > APT Defense Profile List, click the name of the APT defense profile to be checked, and verify that the parameter settings in the profile are correct.

  2. Check the security policy configuration.

    Choose Policy > Security Policy > Security Policy, click the name of the security policy to be checked, and verify that the APT defense part correctly references the APT defense profile.

Viewing Logs

Choose Monitor > Log > Sandbox Detection Log to view sandbox Detection logs. The logs include:
  • After the traffic matches the APT defense profile, unknown file restoration is performed. The restored file is submitted to the corresponding sandbox (local or cloud sandbox) based on the configured sandbox type for detection. If the file is detected as malicious or suspicious, this log is reported.
  • The FW periodically reads file detection results from the sandbox. After malicious URL detection and file reputation detection are enabled, the IAE updates the cached malicious file and malicious URL lists based on the sandbox inspection results. If subsequent traffic arriving on the FW:

    • If the traffic matches a malicious URL, the device blocks the traffic and generates the log.

    • If the traffic matches a malicious file, the specified action is performed and generates the log.

The following table describes the meanings of each field.

Field

Description

Time

Time at which a sandbox detection log is generated

Log Type

Log type, which can be sandbox scanning, malicious URL, or file reputation

Threat Name

Threat name

Result

Detection result, which can be malicious and suspicious

Threat Level

Threat level, which may be High-risk, Medium-risk-risk, or low-risk for a malicious file.

Action

Action (alert, block, declare, or delete attachment) for the traffic that matches the profile

File MD5

MD5 value of the sandbox detection log

NOTE:

Click File MD5 to configure the file MD5 value as a file reputation exception. Then, you can view the file reputation exception in Object > Security Profiles > APT Defense > Advanced Settings.

File Type

File type

Source Zone

Source security zone of the traffic

Destination Zone

Destination security zone of the traffic

Source Region

Source region of the traffic

Destination Region

Destination security zone of traffic

Source Address

Source IP address of traffic

Destination Address

Destination IP address of traffic

Source User

User who generates traffic

Source Port

Source port of traffic

Destination Port

Destination port of traffic

Application

Application type of traffic

Protocol

Protocol of traffic

External Address

Addresses connected to the malicious file

Security Policy

Name of the security policy that the traffic matches

Profile

Name of the APT profile that the traffic matches

Virtual System

Virtual system to which the traffic belongs
Parent Topic: Configuring APT Defense Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic