Checkpoint Harmony Email Policy Management
Overview
Checkpoint Harmony Email & Collaboration (Avanan) uses a layered policy engine to detect and respond to email threats. Policies define what gets scanned, how threats are classified, and what actions are taken when threats are detected. This skill covers policy types, configuration, enable/disable workflows, and best practices for policy tuning across managed customer tenants.
Policy Types
| Type | Code | Description | Default Action |
|---|
| Anti-Phishing | ANTI_PHISHING | URL scanning, brand impersonation, credential harvesting detection | Quarantine |
| Anti-Malware | ANTI_MALWARE | Attachment scanning, sandbox analysis, known malware signatures | Quarantine |
| Anti-BEC | ANTI_BEC | Business email compromise and impersonation detection | Quarantine |
| Anti-Spam | ANTI_SPAM | Spam and bulk mail filtering | Quarantine or Junk |
| DLP | DLP | Data loss prevention for outbound and internal emails | Block or Notify |
| URL Rewriting | URL_REWRITE | Click-time URL protection with safe browsing | Rewrite and Scan |
| Account Takeover | ATO_PROTECTION | Detect compromised internal accounts | Alert and Block |
| Custom Rule | CUSTOM | User-defined policy rules | Configurable |
Policy Actions
| Action | Code | Description |
|---|
| Quarantine | QUARANTINE | Move email to quarantine for admin review |
| Block | BLOCK | Reject the email entirely (NDR to sender) |
| Deliver with Warning | DELIVER_WARN | Deliver to inbox with security banner |
| Move to Junk | JUNK | Deliver to junk/spam folder |
| Notify | NOTIFY | Deliver normally but notify admin |
| Log Only | LOG | Record the detection but take no action |
| Rewrite URLs | REWRITE | Replace URLs with safe browsing links |
Policy Scope
Policies can be scoped to different levels:
| Scope | Description | Use Case |
|---|
| Global | Applies to all users in the tenant | Baseline security policies |
| Group | Applies to a specific user group | Stricter rules for executives |
| User | Applies to a single user | Exception or override |
| Domain | Applies to a specific sender/recipient domain | Partner domain exceptions |
Complete Policy Field Reference
Core Fields
| Field | Type | Description |
|---|
policyId | string | Unique policy identifier |
name | string | Human-readable policy name |
description | string | Policy purpose and behavior |
type | string | Policy type code (see table above) |
enabled | boolean | Whether the policy is active |
priority | int | Evaluation order (lower = higher priority) |
createdDate | datetime | When the policy was created |
modifiedDate | datetime | Last modification timestamp |
modifiedBy | string | Who last modified the policy |
Configuration Fields
| Field | Type | Description |
|---|
action | string | Action to take on match (see actions above) |
scope | string | GLOBAL, GROUP, USER, DOMAIN |
scopeTargets | string[] | Target groups, users, or domains for the scope |
direction | string | INBOUND, OUTBOUND, INTERNAL, ALL |
severity | string | Minimum severity to trigger: CRITICAL, HIGH, MEDIUM, LOW |
exceptions | object[] | Allow-list exceptions to the policy |
schedule | object | Optional time-based activation schedule |
Anti-Phishing Specific Fields
| Field | Type | Description |
|---|
urlScanningEnabled | boolean | Scan URLs in email body |
brandImpersonationEnabled | boolean | Detect brand spoofing |
loginPageSimilarityThreshold | int | Similarity score to trigger (0-100) |
urlRewriteEnabled | boolean | Enable click-time URL rewriting |
qrCodeScanningEnabled | boolean | Scan QR codes in attachments/body |
Anti-Malware Specific Fields
| Field | Type | Description |
|---|
signatureScanEnabled | boolean | Known malware signature matching |
sandboxEnabled | boolean | Dynamic analysis in sandbox |
sandboxTimeout | int | Max sandbox analysis time in seconds |
fileTypeBlockList | string[] | Blocked file extensions (e.g., .exe, .scr) |
passwordProtectedArchives | string | Action for password-protected files: BLOCK, SCAN, ALLOW |
DLP Specific Fields
| Field | Type | Description |
|---|
dlpRules | object[] | List of DLP pattern rules |
dlpRules[].pattern | string | Regex or keyword pattern |
dlpRules[].dataType | string | SSN, credit card, custom, etc. |
dlpRules[].threshold | int | Minimum matches to trigger |
dlpRules[].action | string | BLOCK, NOTIFY, LOG |
dlpRules[].notifyRecipients | string[] | Who to notify on trigger |
MCP Tools
| Tool | Description | Key Parameters |
|---|
avanan_policies_list | List all security policies | type, enabled, scope |
avanan_policies_get | Get detailed policy configuration | policyId |
avanan_policies_enable | Enable a disabled policy | policyId |
avanan_policies_disable | Disable an active policy | policyId, reason |
avanan_policies_update | Update policy configuration | policyId, updates |
avanan_allow_list_get | Get current allow list entries | type (sender, domain, ip) |
avanan_allow_list_add | Add entry to allow list | type, value, reason |
avanan_allow_list_remove | Remove entry from allow list | type, value |
avanan_block_list_get | Get current block list entries | type (sender, domain, ip) |
avanan_block_list_add | Add entry to block list | type, value, reason |
avanan_block_list_remove | Remove entry from block list | type, value |
Tool Usage Examples
List all enabled anti-phishing policies:
{
"tool": "avanan_policies_list",
"parameters": {
"type": "ANTI_PHISHING",
"enabled": true
}
}
Disable a policy with reason:
{
"tool": "avanan_policies_disable",
"parameters": {
"policyId": "pol-abc123",
"reason": "Generating excessive false positives on partner domain emails"
}
}
Add sender to allow list:
{
"tool": "avanan_allow_list_add",
"parameters": {
"type": "sender",
"value": "noreply@trusted-partner.com",
"reason": "Legitimate automated notifications from billing system"
}
}
Common Workflows
Policy Audit Workflow
- List all policies - Get complete policy inventory
- Review enabled policies - Ensure baseline policies are active
- Check policy priority order - Higher priority policies evaluate first
- Review exceptions - Ensure allow/block lists are current
- Check policy coverage:
- Anti-phishing enabled for all inbound
- Anti-malware enabled for all directions
- DLP enabled for outbound
- ATO protection enabled for internal
- Document gaps - Identify missing or misconfigured policies
Policy Tuning Workflow (Reducing False Positives)
- Identify high-FP policies - Check quarantine stats by policy
- Review triggered items - Sample recent quarantine entries for the policy
- Analyze patterns:
- Are specific senders repeatedly triggering?
- Is a specific rule too broad?
- Are legitimate email patterns being caught?
- Adjust policy:
- Add specific sender/domain exceptions (prefer narrow exceptions)
- Adjust sensitivity thresholds
- Modify action from QUARANTINE to DELIVER_WARN if appropriate
- Monitor results - Track FP rate after changes
Enable/Disable Policy Workflow
Enabling a policy:
- Review policy configuration before enabling
- Consider starting with LOG action to assess impact
- Enable the policy
- Monitor quarantine volume for 24-48 hours
- Adj
