From checkpoint-avanan
Guides Checkpoint Harmony Email (Avanan) security policy management: DLP, anti-phishing, anti-malware, quarantine, allow/block lists. Covers types, actions, enable/disable workflows, effects, and tuning best practices for MSP admins.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin checkpoint-avananThis skill uses the workspace's default tool permissions.
Checkpoint Harmony Email & Collaboration (Avanan) uses a layered policy engine to detect and respond to email threats. Policies define what gets scanned, how threats are classified, and what actions are taken when threats are detected. This skill covers policy types, configuration, enable/disable workflows, and best practices for policy tuning across managed customer tenants.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
Checkpoint Harmony Email & Collaboration (Avanan) uses a layered policy engine to detect and respond to email threats. Policies define what gets scanned, how threats are classified, and what actions are taken when threats are detected. This skill covers policy types, configuration, enable/disable workflows, and best practices for policy tuning across managed customer tenants.
| Type | Code | Description | Default Action |
|---|---|---|---|
| Anti-Phishing | ANTI_PHISHING | URL scanning, brand impersonation, credential harvesting detection | Quarantine |
| Anti-Malware | ANTI_MALWARE | Attachment scanning, sandbox analysis, known malware signatures | Quarantine |
| Anti-BEC | ANTI_BEC | Business email compromise and impersonation detection | Quarantine |
| Anti-Spam | ANTI_SPAM | Spam and bulk mail filtering | Quarantine or Junk |
| DLP | DLP | Data loss prevention for outbound and internal emails | Block or Notify |
| URL Rewriting | URL_REWRITE | Click-time URL protection with safe browsing | Rewrite and Scan |
| Account Takeover | ATO_PROTECTION | Detect compromised internal accounts | Alert and Block |
| Custom Rule | CUSTOM | User-defined policy rules | Configurable |
| Action | Code | Description |
|---|---|---|
| Quarantine | QUARANTINE | Move email to quarantine for admin review |
| Block | BLOCK | Reject the email entirely (NDR to sender) |
| Deliver with Warning | DELIVER_WARN | Deliver to inbox with security banner |
| Move to Junk | JUNK | Deliver to junk/spam folder |
| Notify | NOTIFY | Deliver normally but notify admin |
| Log Only | LOG | Record the detection but take no action |
| Rewrite URLs | REWRITE | Replace URLs with safe browsing links |
Policies can be scoped to different levels:
| Scope | Description | Use Case |
|---|---|---|
| Global | Applies to all users in the tenant | Baseline security policies |
| Group | Applies to a specific user group | Stricter rules for executives |
| User | Applies to a single user | Exception or override |
| Domain | Applies to a specific sender/recipient domain | Partner domain exceptions |
| Field | Type | Description |
|---|---|---|
policyId | string | Unique policy identifier |
name | string | Human-readable policy name |
description | string | Policy purpose and behavior |
type | string | Policy type code (see table above) |
enabled | boolean | Whether the policy is active |
priority | int | Evaluation order (lower = higher priority) |
createdDate | datetime | When the policy was created |
modifiedDate | datetime | Last modification timestamp |
modifiedBy | string | Who last modified the policy |
| Field | Type | Description |
|---|---|---|
action | string | Action to take on match (see actions above) |
scope | string | GLOBAL, GROUP, USER, DOMAIN |
scopeTargets | string[] | Target groups, users, or domains for the scope |
direction | string | INBOUND, OUTBOUND, INTERNAL, ALL |
severity | string | Minimum severity to trigger: CRITICAL, HIGH, MEDIUM, LOW |
exceptions | object[] | Allow-list exceptions to the policy |
schedule | object | Optional time-based activation schedule |
| Field | Type | Description |
|---|---|---|
urlScanningEnabled | boolean | Scan URLs in email body |
brandImpersonationEnabled | boolean | Detect brand spoofing |
loginPageSimilarityThreshold | int | Similarity score to trigger (0-100) |
urlRewriteEnabled | boolean | Enable click-time URL rewriting |
qrCodeScanningEnabled | boolean | Scan QR codes in attachments/body |
| Field | Type | Description |
|---|---|---|
signatureScanEnabled | boolean | Known malware signature matching |
sandboxEnabled | boolean | Dynamic analysis in sandbox |
sandboxTimeout | int | Max sandbox analysis time in seconds |
fileTypeBlockList | string[] | Blocked file extensions (e.g., .exe, .scr) |
passwordProtectedArchives | string | Action for password-protected files: BLOCK, SCAN, ALLOW |
| Field | Type | Description |
|---|---|---|
dlpRules | object[] | List of DLP pattern rules |
dlpRules[].pattern | string | Regex or keyword pattern |
dlpRules[].dataType | string | SSN, credit card, custom, etc. |
dlpRules[].threshold | int | Minimum matches to trigger |
dlpRules[].action | string | BLOCK, NOTIFY, LOG |
dlpRules[].notifyRecipients | string[] | Who to notify on trigger |
| Tool | Description | Key Parameters |
|---|---|---|
avanan_policies_list | List all security policies | type, enabled, scope |
avanan_policies_get | Get detailed policy configuration | policyId |
avanan_policies_enable | Enable a disabled policy | policyId |
avanan_policies_disable | Disable an active policy | policyId, reason |
avanan_policies_update | Update policy configuration | policyId, updates |
avanan_allow_list_get | Get current allow list entries | type (sender, domain, ip) |
avanan_allow_list_add | Add entry to allow list | type, value, reason |
avanan_allow_list_remove | Remove entry from allow list | type, value |
avanan_block_list_get | Get current block list entries | type (sender, domain, ip) |
avanan_block_list_add | Add entry to block list | type, value, reason |
avanan_block_list_remove | Remove entry from block list | type, value |
List all enabled anti-phishing policies:
{
"tool": "avanan_policies_list",
"parameters": {
"type": "ANTI_PHISHING",
"enabled": true
}
}
Disable a policy with reason:
{
"tool": "avanan_policies_disable",
"parameters": {
"policyId": "pol-abc123",
"reason": "Generating excessive false positives on partner domain emails"
}
}
Add sender to allow list:
{
"tool": "avanan_allow_list_add",
"parameters": {
"type": "sender",
"value": "noreply@trusted-partner.com",
"reason": "Legitimate automated notifications from billing system"
}
}
Enabling a policy:
Disabling a policy:
Adding to allow list:
Adding to block list:
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid policy type | Use valid type codes from reference above |
| 400 | Invalid action | Use valid action codes from reference above |
| 401 | Unauthorized | Check API credentials and token expiry |
| 403 | Insufficient permissions | API key needs policy management scope |
| 404 | Policy not found | Verify policy ID exists |
| 409 | Policy name conflict | Policy names must be unique per tenant |
| 422 | Invalid policy configuration | Check field types and required fields |
| 429 | Rate limited | Implement exponential backoff |
| Error | Cause | Fix |
|---|---|---|
| Priority conflict | Two policies with same priority | Adjust priority values to be unique |
| Invalid scope target | User/group not found | Verify scope targets exist in directory |
| DLP pattern invalid | Regex syntax error | Validate regex pattern before saving |
| File type not recognized | Unknown extension in block list | Use standard file extensions |