Configuring Threat Prevention Blade Control

In the Threat Prevention > Threat Prevention Blade Control page, move the sliders to activate:

Intrusion Prevention System (IPS). Blocks potentially malicious attempts to exploit known vulnerabilities in files and network protocols.
Anti-Virus. Blocks potentially malicious files that are infected with viruses.
Anti-Bot & DNS Security. Detects bots, prevents communication between the bot and its Command & Control (C2) server, provides advanced DNS security, and gives threat visibility. A bot is malicious software that can infect your computer with malware. A bot-infected device can then be used by a C2 server to execute different types of attacks (send out SPAM messages or Denial-of-Service (DDoS) against web sites). Infection may occur if you open attachments that exploit a vulnerability or access a web site that results in a malicious download.
Threat Emulation. Gives networks protection against unknown threats in files that are downloaded from the Internet or attached to emails. In emulation, the file is opened on more than one virtual computer with different operating system environments. These virtual computers are closely monitored for unusual and malicious behavior. Any malicious behavior is immediately logged and you can use Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. mode to block the file from the internal network. Information about malicious files is shared with Check Point ThreatCloud.
Zero Phishing - Scans the domain the user attempts to connect to and sends the URL to Check Point ThreatCloud to determine if it is malicious or not. If it is a phishing site, access is blocked.

You configure all the settings for these blades in the same place and set a single profile for all.

Enabling Threat Emulation Policy for the FTP Protocol

Note - When the blade is managed by Cloud Services, a lock icon appears. You cannot toggle between the "ON" and "OFF" states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

The update status is displayed next to each blade:

Up to date
Update available
Update service unreachable

You can activate the blades to prevent attacks/infection or set them to detect-mode only on the Threat Prevention Engine Settings page.

A warning message shows if a blade is in configured in the Detect UserCheck rule action that allows traffic and files to enter the internal network and logs them.-only mode.

The top of the page shows the number of infected devices. For more information, click More details.

One policy is configured for all the blades:

Strict - Focuses on security.

Recommended - The default option, which gives the best mixture of security and performance for small/medium sized business.

Note - The performance impact for the "Suspicious Mail Activity" protection in Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. was changed to High and is now off by default. To enable this protection, you must configure it in a custom policy.

Custom - Manually defined by the user.

Configuring a Custom Policy for Threat Prevention

In the Threat Prevention Blade Control page, under Policy, select Custom.
For Tracking options, select one of these options:
- None – Do not log.
- Log – Create a log.
- Alert – Log with an alert.
In the Protection Activation section, for each confidence level (High confidence, Medium confidence, and Low confidence), select the applicable action from the list:
- Ask - Traffic is blocked until the user confirms it is allowed.
- Prevent - Blocks identified virus or bot traffic, or identified malicious files, from passing through the gateway.
- Detect - Allows identified virus or bot traffic, or identified malicious files, to pass through the gateway. This traffic is detected and logged.
- Inactive - The protection is deactivated.
For Severity, select the level:
- Low or above
- Medium or above
- High or above
- Critical
For Performance impact, select the allowed impact level:
- Low
- Medium or lower
- High or lower
To load the policy default values, click Load default settings:
- Recommended
- Strict
To save all settings on the Threat Prevention Blade Control page, click Save.

Scheduling Threat Prevention Updates

Click Schedule updates.

The Activate Automatic Updates window opens.
Select the Software Blades to receive automatic updates:
- IPS
- Anti-Virus
- Anti-Bot & DNS Security
- Application Control
Select the Recurrence and Time of day.
Click Save.