Have you got an advanced security licence? If so, go:
Security Appliance/Threat Protection/
AMP Mode=Enabled
Intrusion detection and prevention mode=Prevention
Ruleset=Security
Secuity Appliance/Content Filtering
Add: Bot Nets, Illegal, Malware Sites, Proxy Avoidance and Anonymlisers
Do the above till will gain you substantial protection - using dynamic lists rather than something manually configured.