Print Download Documentation Send Feedback

Previous

Next

Threat Emulation - General

What can I do here?

Use this window to configure general Threat Emulation settings.

Getting Here

Getting Here - Security Policies Threat Prevention > Policy > Threat Tools > Profiles > Profile > Threat Emulation - General

Configuring Threat Emulation Settings

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management and then double-click a DMZ interface.
  3. In the General page of the Interface window, click Modify.
  4. In the Topology Settings window, click Override and Interface leads to DMZ.
  5. Click OK and close the gateway window.

Do this procedure for each interface that goes to the DMZ.

If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.

Note - The MIME Nesting settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.

To configure Threat Emulation settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click Threat Emulation > General.
  5. Select the Threat Emulation UserCheck Settings options:
    • Prevent - Select the UserCheck message that opens for a Prevent action
    • Ask - Select the UserCheck message that opens for an Ask action
  6. In the Protected Scope section, select an interface type and traffic direction option:
  7. Select the applicable Protocols to be emulated.
  8. In the Protected Scope section, select an interface type and traffic direction option:
    • Inspect incoming files from:

      Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

      • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
      • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
      • All - Inspect all incoming files from all interface types.
    • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
  9. Optional: Configure how Threat Emulation does emulation for SMTP traffic.
    1. Click Configure.

      The Threat Prevention Mail Configuration window opens.

    2. Configure the MIME Nesting settings.
      • Maximum MIME nesting is X levels - For emails that contain nested MIME content, Set the maximum number of levels that the ThreatSpect engine scans in the email.
      • When nesting level is exceeded block/allow file - If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file.
  10. Select the File Types to be emulated.
  11. Click OK and close the Threat Prevention profile window.
  12. Install the Threat Prevention policy.
12-Sep-21
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2021 Check Point Software Technologies Ltd. All rights reserved.