In This Section: |
You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.
To get quickly up and running with Threat Prevention:
After you enable the blades and install the policy, this rule is generated:
Name |
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|---|
Out-of-the-box Threat Prevention policy |
|
Optimized |
|
|
Notes:
Enable the IPS Software Blade on the Security Gateway.
To enable the IPS Software Blade:
The General Properties window opens.
To enable the Anti-Bot Software Blade on a Security Gateway:
The General Properties window of the gateway opens.
The Anti-Bot and Anti-Virus First Time Activation window opens.
Enable the Anti-Virus Software Blade on a Security Gateway.
To enable the Anti-Virus Software Blade:
The General Properties window of the gateway opens.
The Anti-Bot and Anti-Virus First Time Activation window opens.
Use the First Time Configuration Wizard in SmartConsole to enable Threat Emulation in the network. Configure the Security Gateway or Emulation appliance for your deployment.
Files are sent to the Check Point ThreatCloud over a secure SSL connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.
Best Practice - For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.
To enable ThreatCloud emulation:
The Gateway Properties window opens.
The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
The Summary page opens.
The Gateway Properties window closes.
This is a sample workflow to create a Threat Prevention profile that includes Threat Emulation.
To create a Threat Prevention profile for Threat Emulation:
The Profiles page opens.
The Software Blade runs emulation only for files and traffic that match the selected protocols.
The Software Blade runs emulation only for files that match the selected file types.
To enable the Threat Extraction Blade:
The Gateway Properties window opens.
The Threat Extraction First Time Activation Wizard opens.
From the drop-down box, select a mail server for forwarded emails.
Note: In a ClusterXL HA environment, do this once for the cluster object.
Configuring LDAP
If you use LDAP for user authentication, you must activate User Directory for Security Gateways.
To activate User Directory:
The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.
To install the Threat Prevention policy:
The Install Policy window opens showing the installation targets (Security Gateways).
If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
Check Point Threat Prevention provides instant protection based on pre-defined Threat Prevention Profiles. You can also configure a custom Threat Prevention profile to give the exact level of protection that the organization needs.
When you install a Threat Prevention policy on the Security Gateways, they immediately begin to enforce IPS protection on network traffic.
A Threat Prevention profile determines which protections are activated, and which Software Blades are enabled for the specified rule or policy. The protections that the profile activates depend on the:
A Threat Prevention profile applies to one or more of the Threat Prevention Software Blades: IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction.
A profile is a set of configurations based on:
Without profiles, it would be necessary to configure separate rules for different activation settings and confidence levels. With profiles, you get customization and efficiency.
SmartConsole includes these default Threat Prevention profiles:
The Optimized profile is activated by default, because it gives excellent security with good gateway performance.
These are the goals of the Optimized profile, and the settings that achieve those goals:
Goal |
Parameter |
Setting |
---|---|---|
Apply settings to all the Threat Prevention Software Blades |
Blades Activation |
Activate the profile for IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction. |
Do not have a critical effect on performance |
Performance impact |
Activate protections that have a Medium or lower effect on performance. |
Protect against important threats |
Severity |
Protect against threats with a severity of Medium or above. |
Reduce false-positives |
Confidence |
Set to Prevent the protections with an attack confidence of Medium or High. Set to Detect the protections with a confidence of Low. |
When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any) is inspected for all protections according to the Optimized profile. By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.
The result of this rule (according to the Optimized profile) is that:
Use the Logs & Monitor page to show logs related to Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.
You can add more exceptions that prevent or detect specified protections or have different tracking settings.