Creating Threat Prevention Rules
Create and manage the policy for the Threat Prevention Software Blade as part of the Threat Prevention Policy.
- The page shows the rules and exceptions for the Threat Prevention policy. The rules set the Threat profiles for the network objects or locations defined as a protected scope.
Click the button to get started.
- You can configure the Threat Prevention settings in the Threat Prevention profile for the specified rule.
- To learn about bots and protections, look through the Threat Wiki.
Best Practice - Disable a rule when you work on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Gateway. To disable a rule, right click in the column of the rule and select
Configuring IPS Profile Settings
To configure IPS settings for a Threat Prevention profile:
- In SmartConsole, select >.
- From the section, click .
The page opens.
- Right-click the profile, and click .
- From the navigation tree, click >.
- Configure the customized protections for the profile.
- From the navigation tree, click >.
- Configure the settings for newly downloaded IPS protections.
- If you are importing IPS profiles from a pre-R80 deployment:
- From the navigation tree, click >.
- Activate the applicable and protections.
- Configure the IPS protection categories to exclude from this profile.
Note - These categories are different from the protections in the page.
- Click .
- .
Updates
There are numerous protections available in IPS. It takes time to become familiar with those that are relevant to your environment. Some are easily configured for basic security and can be safely activated automatically.
Best Practice - Allow IPS to activate protections based on the IPS policy in the beginning. During this time, you can analyze the alerts that IPS generates and how it handles network traffic, while you minimize the impact on the flow of traffic. Then you can manually change the protection settings to suit your needs.
In the Threat Prevention profile, you can configure an updates policy for IPS protections that were newly updated. You can do this with the > page in the navigation tree. Select one of these settings for :
- Protections are activated according to the settings in the page of the Profile. This option is selected by default
- Selected by default. Newly updated protections are in staging mode until their configuration is changed. The default action for the protections is Detect. You can change the action manually in the IPS page.
Click to exclude protections from the staging mode.
- -Newly updated protectionswill not be activated
Blocking Viruses
To block viruses and malware in your organization:
- In SmartConsole, click and double-click the Security Gateway.
- In the page, select the Software Blade.
The window opens.
- Select and click .
- Close the gateway Properties window and publish the changes.
- Click >> >.
- Click .
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
- Make a rule that includes these components:
- - Give the rule a name such as .
- The list of network objects you want to protect. In this example, the network object is used.
- The Profile that contains the protection settings you want. The default profile is .
- The type of log you want to get when detecting malware on this scope. In this example, keep and also select to capture the packets of malicious activity. You will then be able to view the actual packets in .
- - Keep it as or choose specified gateways to install the rule on.
- Install the Threat Prevention policy.
Configuring Anti-Bot Settings
To configure the Anti-Bot settings for a Threat Prevention profile:
- In SmartConsole, select > .
- From the section, click .
The page opens.
- Right-click the profile, and click .
- From the navigation tree, click .
- Configure the Anti-Bot :
- - Select the UserCheck message that opens for a action
- - Select the UserCheck message that opens for an action
- Click and .
Blocking Bots
To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.
Protected Scope
|
Action
|
Track
|
Install On
|
Any
|
Optimized
|
Log Packet Capture
|
Policy Targets
|
To block bots in your organization:
- In SmartConsole, click .
- Enable the Software Blade on the Gateways that protect your organization. For each Gateway:
- Double-click the Gateway object.
- In the page, select the Software Blade.
The First Time window opens.
- Select
- Click .
- Click .
You can block bots with the out-of-the-box Threat Prevention policy rule with the default Profile.
Alternatively, add a new Threat Prevention rule:
- Click .
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
- Make a rule that includes these components:
- - Give the rule a name such as .
- The list of network objects you want to protect. By default, the network object is used.
- The Profile that contains the protection settings you want. The default profile is .
- The type of log you want to get when the gateway detects malware on this scope.
- - Keep it as or select Gateways to install the rule on.
- Install the Threat Prevention policy.
The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.
To install the Threat Prevention policy:
- From the Global toolbar, click .
The window opens showing the installation targets (Security Gateways).
- Select .
- Select
- - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
- - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
- Click .
Monitoring Bot Activity
Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?
In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:
Name
|
Protected Scope
|
Action
|
Track
|
Install On
|
Monitor bot activity
|
Any
|
A profile that has these changes relative to the profile:
(High\Medium\Low):
|
Log
|
Policy Targets
|
To monitor all bot activity:
- In SmartConsole, select .
- Create a new profile:
- From the section, click .
The page opens.
- Right-click a profile and select .
- Give the profile a name such as .
- Edit the profile, and under , configure all confidence level settings to .
- Select the - for example, .
This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.
- Create a new rule:
- Click .
- Add a rule to the Rule Base.
The first rule that matches is applied.
- Make a rule that includes these components:
- - Give the rule a name such as .
- Keepso the rule applies to all traffic in the organization.
- Right-click in this cell and select .
- Keep .
- - Keep it as or choose Gateways to install the rule on.
- Install the Threat Prevention policy.
The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.
To install the Threat Prevention policy:
- From the Global toolbar, click .
The window opens showing the installation targets (Security Gateways).
- Select .
- Select
- - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
- - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
- Click .
Disabling a Protection on One Server
Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?
In this example, create this Threat Prevention rule, and install the Threat Prevention policy:
Name
|
Protected Scope
|
Protection/Site
|
Action
|
Track
|
Install On
|
Monitor Bot Activity
|
Any
|
- N/A
|
A profile based on the Optimized profile, with these changes:
Confidence (Low/Medium/High): Prevent/Prevent/Prevent
|
Log
|
Policy Targets
|
Exclude
|
Server_1
|
Backdoor.Win32.Agent.AH
|
Detect
|
Log
|
Server_1
|
To add an exception to a rule:
- In SmartConsole, click .
- Click the rule that contains the scope of Server_1.
- Click the toolbar button to add the exception to the rule. The gateway applies the first exception matched.
- Right-click the rule and select .
- Configure these settings:
- - Give the exception a name such as .
- Change it to so that it applies to all detections on the server.
- - Click in the cell. From the drop-down menu, click the category and select one or more of the items to exclude.
Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.
- Keep it as .
- - Keep it as .
- - Keep it as or select specified gateways to install the rule on.
- .
Configuring Threat Emulation Settings
Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:
- In SmartConsole, click and double-click the Security Gateway.
The gateway window opens and shows the page.
- From the navigation tree, click and then double-click a DMZ interface.
- In the page of the window, click .
- In the window, click and .
- Click and close the gateway window.
Do this procedure for each interface that goes to the DMZ.
If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.
Note - The MIME Nesting settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.
To configure Threat Emulation settings for a Threat Prevention profile:
- In SmartConsole, select .
- From the section, click .
The page opens.
- Right-click the profile, and click .
- From the navigation tree, click .
- Select the Threat Emulation options:
- - Select the UserCheck message that opens for a action
- - Select the UserCheck message that opens for an action
- In the section, select an interface type and traffic direction option:
- Select the applicable to be emulated.
- In the section, select an interface type and traffic direction option:
- Optional: Configure how Threat Emulation does emulation for SMTP traffic.
- Click .
The window opens.
- Configure the settings.
- - For emails that contain nested MIME content, Set the maximum number of levels that the ThreatSpect engine scans in the email.
- - If there are more nested levels of MIME content than the configured amount, select to or the email file.
- Select the to be emulated.
- Click and close the Threat Prevention profile window.
- Install the Threat Prevention policy.
Selecting the Threat Emulation Action
What are the available emulation actions that I can use with a Threat Emulation profile?
- Prevent - Files do not go to the destination computer until emulation is completed. If Threat Emulation discovers that a file contains malware, the malicious file does not enter the internal network. Users can notice a delay when downloading a file, because they cannot download and open the file until the emulation is complete.
- Detect - The file is sent to the destination and to Threat Emulation. If Threat Emulation discovers that a file contains malware, the appropriate log action is done. Users receive all files without delay.
- Note - To estimate the system requirements and amount of file emulations for a network, go to sk93598.
Configuring the Virtual Environment (Profile)
You can use the window to configure the emulation location and images that are used for this profile.
The section lets you select where the emulation is done.
- - Files are sent to the Check Point ThreatCloud for emulation. The emulation in the ThreatCloud is identical to a local emulation but it does not use CPU, RAM, and disk space on a local appliance. When you configure ThreatCloud emulation, a secure SSL connection is created between the company's Security Gateway and the ThreatCloud. Files are sent to the ThreatCloud over this secure connection for emulation. The results are sent back to the Security Gateway and the applicable action is done to the file.
- - The Emulation appliance that does the emulation and file analysis. Threat Emulation uses the CPU, RAM and disk space of the appliance to do the emulation.
- - Enable Threat Emulation on a Security Gateway and select the Emulation appliance that does the emulation.
The section lets you select the operating system images on which the emulation is run. If the images defined in the profile and the Security Gateway or Emulation appliance are different, the profile settings are used.
These are the options to select the emulation images:
- Check Point automatically updates images and adds new ones.
- Select the images that are closest to the operating systems for the computers in your organization.
To configure the virtual environment settings for the profile:
- From the Threat Prevention profile navigation tree, select > .
The page opens.
- Set the setting:
- To use the Security Gateway settings for the location of the virtual environment, click
- To configure the profile to use a different location of the virtual environment, click and select the applicable option
- Set the setting:
- To use the emulation environments recommended by Check Point security analysts, click
- To select one or more images that are used for emulation, click
- Click and close the Threat Prevention profile window.
- Install the Threat Prevention policy.
Excluding Emails
You can enter email addresses that are not included in Threat Emulation protection. SMTP traffic that is sent to or from these addresses is not sent for emulation.
Note - If you want to do emulation on outgoing emails, make sure that you set the Protected Scope to .
To exclude emails from Threat Emulation:
- From the Threat Prevention profile navigation tree, select > .
- In the section, you can click the Add button and enter one or more emails.
Emails and attachments that are sent to these addresses will not be sent for emulation.
- In the section, you can click the Add button and enter one or more emails.
Emails and attachments that are received from these addresses will not be sent for emulation.
Note - You can also use a wildcard character to exclude more than one email address from a domain.
- Click and close the Threat Prevention profile window.
- Install the Threat Prevention policy.
Preparing for Local or Remote Emulation
Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.
- Open SmartConsole.
- Create the network object for the Emulation appliance.
- If you are running emulation on HTTPS traffic, configure the settings for HTTPS Inspection.
- Make sure that the traffic is sent to the appliance according to the deployment:
- Local Emulation - The Emulation appliance receives the traffic. The appliance can be configured for traffic the same as a Security Gateway.
- Remote Emulation - The traffic is routed to the Emulation appliance.
Using Local or Remote Emulation
This section is for deployments that use an Emulation appliance and run emulation in the internal network.
Note - Prepare the network for the Emulation appliance before you run the First Time Configuration Wizard.
To enable an Emulation appliance for Local and Remote emulation:
- In SmartConsole, go to and double-click the Emulation appliance.
The window opens.
- From the tab, select .
The opens and shows the page.
- Select .
- Click .
The page opens.
- Click to enable Threat Emulation on the Emulation appliance and close the First Time Configuration Wizard.
- Click .
The window closes.
- For Local emulation, install the Threat Prevention policy on the Emulation appliance.
To enable Threat Emulation on the Security Gateway for Remote emulation:
- In SmartConsole, go to and double-click the Security Gateway.
The window opens.
- From the tab, select .
The opens and shows the page.
- Configure the Security Gateway for Remote Emulation:
- Select .
- From the drop-down menu, select the Emulation appliance.
- Click .
The page opens.
- Click to enable Threat Emulation on the Security Gateway close the First Time Configuration Wizard.
- Click .
The window closes.
- Install the Threat Prevention policy on the Security Gateway and the Emulation appliance.
Configuring Threat Extraction Settings
To configure Threat Extraction settings for a Threat Prevention profile:
- In the view > section, click .
- Right-click a profile and select .
The properties window opens.
- On the page in the area, select .
- Configure these Threat Extraction Settings:
- Click .
Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.
Configuring Threat Extraction on the Security Gateway
- In the view, open the > page.
- Set the to .
- In the section, configure the resource settings.
- Click .
- .
Configuring a Malware DNS Trap
The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateways external IP address as the DNS trap address but:
- Do not use a gateway address that leads to the internal network
- Do not use the gateway internal management address
- If the gateway external IP address is also the management address, select a different address for the DNS trap.
You can also add internal DNS servers to better identify the origin of malicious DNS requests.
Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.
At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.
To set the Malware DNS Trap parameters for the profile:
- In SmartConsole, select .
- From the section, click .
The page opens.
- Right-click the profile, and click .
- From the navigation tree, click .
- Click .
- Enter the address for the DNS trap.
- Optional: Add to identify the origin of malicious DNS requests.
- Click and close the Threat Prevention profile window.
- Install the Threat Prevention policy.
To set the Malware DNS Trap parameters for a gateway:
- In SmartConsole, click and double-click the Security Gateway.
The gateway window opens and shows the page.
- From the navigation tree, select .
- In the section, select one of these options:
- - Use the Malware DNS Trap IP address configured for each profile.
- - Enter an IP address to be used in all the profiles assigned to this Security Gateway.
- Click .
- Install the policy.
Exception Rules
If necessary, you can add an directly to a rule. The object in the column can have a different from the specified Threat Prevention rule. Here are some examples of exception rules:.
- A profile that only detects protections. You can set one or more of the protections for a user to .
- The Research and Development (R&D) network protections are included in a profile with the action. You can set that network to .
You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.
You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.
You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the . column.
To add an exception to a rule:
- In the pane, select the rule to which you want to add an exception.
- Click
- Select the , , or option according to where you want to place the exception.
- Enter values for the columns. Including these:
- Change it to reflect the relevant objects.
- - Click the plus sign in the cell to open the Protections viewer. Select the protection(s) and click .
- .
Note - You cannot set an exception rule to an inactive protection or an inactive blade.
Blade Exceptions
You can also configure an exception for an entire blade.
To configure a blade exception:
- In the select the Layer rule to which you want to add an exception.
- Click .
- Select the , , or option according to where you want to place the exception.
- In the column, select from the drop-down menu.
- Select the blade you want to exclude.
- .