Out-of-the-Box Protection from Threats

In This Section: Getting Quickly Up and Running with the Threat Prevention Policy Enabling the Threat Prevention Software Blades Installing the Threat Prevention Policy Introducing Profiles Optimized Protection Profile Settings Predefined Rule

Getting Quickly Up and Running with the Threat Prevention Policy

You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.

To get quickly up and running with Threat Prevention:

1. Enable the Threat Prevention blades on the gateway.
2. Install Policy.

After you enable the blades and install the policy, this rule is generated:

Name	Protected Scope	Action	Track	Install On
Out-of-the-box Threat Prevention policy	*Any	Optimized	Log Packet Capture	*Policy Targets

Notes:

• The Optimized profile is installed by default.
• The Protection/Site column is used only for protection exceptions.

Enabling the Threat Prevention Software Blades

Enabling the IPS Software Blade

Enable the IPS Software Blade on the Security Gateway.

To enable the IPS Software Blade:

1. In the Gateways & Servers view, double-click the gateway object.

   The General Properties window opens.

2. In the General Properties > Network Security tab, click IPS.
3. Follow the steps in the wizard that opens.
4. Click OK.
5. Click OK in the General Properties window.
6. Install Policy.

Enabling the Anti-Bot Software Blade

To enable the Anti-Bot Software Blade on a Security Gateway:

1. In the Gateways & Servers view, double-click the gateway object.

   The General Properties window of the gateway opens.

2. From the Network Security tab, select Anti-Bot.

   The Anti-Bot and Anti-Virus First Time Activation window opens.

3. Select an activation mode option:
   • According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Bot Software Blade and use the Anti-Bot settings of the Threat Prevention profile in the Threat Prevention policy.
   • Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
4. Click OK.
5. Install Policy.

Enabling the Anti-Virus Software Blade

Enable the Anti-Virus Software Blade on a Security Gateway.

To enable the Anti-Virus Software Blade:

1. In the Gateways & Servers view, double-click the gateway object.

   The General Properties window of the gateway opens.

2. From the Network Security tab, click Anti-Bot.

   The Anti-Bot and Anti-Virus First Time Activation window opens.

3. Select one of the activation mode options:
   • According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Virus Software Blade and use the Anti-Virus settings of the Threat Prevention profile in the Threat Prevention policy.
   • Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
4. Click OK
5. Install Policy.

Enabling SandBlast Threat Emulation Software Blade

Use the First Time Configuration Wizard in SmartConsole to enable Threat Emulation in the network. Configure the Security Gateway or Emulation appliance for your deployment.

Using Cloud Emulation

Files are sent to the Check Point ThreatCloud over a secure SSL connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

Best Practice - For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.

To enable ThreatCloud emulation:

1. In the Gateways & Servers view, double-click the Security Gateway object.

   The Gateway Properties window opens.

2. From the Network Security tab, select Threat Emulation.

   The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

3. Select ThreatCloud Emulation Service.
4. Click Next.

   The Summary page opens.

5. Click Finish to enable Threat Emulation and close the First Time Configuration Wizard.
6. Click OK.

   The Gateway Properties window closes.

7. Install Policy.

Sample Workflow - Creating a Threat Emulation Profile

This is a sample workflow to create a Threat Prevention profile that includes Threat Emulation.

To create a Threat Prevention profile for Threat Emulation:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Profiles.

   The Profiles page opens.

3. Click New.
4. Enter the Name for the Threat Prevention profile.
5. In Blades Activation, select the Threat Prevention Software Blades.
6. Configure the Activation Mode settings for the traffic.
7. From the Threat Emulation Settings page, set the Prevent and Ask UserCheck settings.
8. From the navigation tree, click Threat Emulation > General.
9. Configure the Threat Emulation Protected Scope for this profile, and define how traffic from external and internal networks is sent for emulation.
10. Select one or more Protocols for this profile.

    The Software Blade runs emulation only for files and traffic that match the selected protocols.

11. Configure the File Types for this profile.

    The Software Blade runs emulation only for files that match the selected file types.

12. Click OK and install Policy.

Enabling the SandBlast Threat Extraction Blade

To enable the Threat Extraction Blade:

1. In the Gateways & Servers view, right-click the gateway object and select Edit.

   The Gateway Properties window opens.

2. On the General Properties > Network Security tab, select Threat Extraction.

   The Threat Extraction First Time Activation Wizard opens.

3. Enable the gateway as a Mail Transfer Agent (MTA).

   From the drop-down box, select a mail server for forwarded emails.

4. Click Next.
5. Click Finish.

   Note: In a ClusterXL HA environment, do this once for the cluster object.

Configuring LDAP

If you use LDAP for user authentication, you must activate User Directory for Security Gateways.

To activate User Directory:

1. Open SmartConsole > Global Properties.
2. On the User Directory page, select Use User Directory for Security Gateways.
3. Click OK.

Installing the Threat Prevention Policy

The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

To install the Threat Prevention policy:

1. From the Global toolbar, click Install Policy.

   The Install Policy window opens showing the installation targets (Security Gateways).

2. Select Threat Prevention.
3. Select Install Mode:
   • Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.

     If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.

   • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
4. Click OK.

Introducing Profiles

Check Point Threat Prevention provides instant protection based on pre-defined Threat Prevention Profiles. You can also configure a custom Threat Prevention profile to give the exact level of protection that the organization needs.

When you install a Threat Prevention policy on the Security Gateways, they immediately begin to enforce IPS protection on network traffic.

A Threat Prevention profile determines which protections are activated, and which Software Blades are enabled for the specified rule or policy. The protections that the profile activates depend on the:

• Performance impact of the protection.
• Severity of the threat.
• Confidence that a protection can correctly identify an attack.
• Settings that are specific to the Software Blade.

A Threat Prevention profile applies to one or more of the Threat Prevention Software Blades: IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction.

A profile is a set of configurations based on:

• Activation settings (prevent, detect, or inactive) for each confidence level of protections that the ThreatSpect engine analyzes
• IPS Settings
• Anti-Bot Settings
• Anti-Virus Settings
• Threat Emulation Settings
• Threat Extraction Settings
• Indicator configuration
• Malware DNS Trap configuration
• Links inside mail configuration

Without profiles, it would be necessary to configure separate rules for different activation settings and confidence levels. With profiles, you get customization and efficiency.

SmartConsole includes these default Threat Prevention profiles:

• Optimized - Provides excellent protection for common network products and protocols against recent or popular attacks
• Strict - Provides a wide coverage for all products and protocols, with impact on network performance
• Basic - Provides reliable protection on a range of non-HTTP protocols for servers, with minimal impact on network performance

Optimized Protection Profile Settings

The Optimized profile is activated by default, because it gives excellent security with good gateway performance.

These are the goals of the Optimized profile, and the settings that achieve those goals:

Goal	Parameter	Setting
Apply settings to all the Threat Prevention Software Blades	Blades Activation	Activate the profile for IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction.
Do not have a critical effect on performance	Performance impact	Activate protections that have a Medium or lower effect on performance.
Protect against important threats	Severity	Protect against threats with a severity of Medium or above.
Reduce false-positives	Confidence	Set to Prevent the protections with an attack confidence of Medium or High. Set to Detect the protections with a confidence of Low.

Predefined Rule

When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any) is inspected for all protections according to the Optimized profile. By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.

The result of this rule (according to the Optimized profile) is that:

• When an attack meets the below criteria, the protections are set to Prevent mode:
  • Confidence Level - Medium or above
  • Performance Impact - Medium or above
  • Severity - Medium or above
• When an attack meets the below criteria, the protections are set to Detect mode:
  • Confidence Level - Low
  • Performance Impact - Medium or above
  • Severity - Medium or above

Use the Logs & Monitor page to show logs related to Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.

You can add more exceptions that prevent or detect specified protections or have different tracking settings.