Configuring Advanced Threat Prevention Settings

In This Section: Threat Prevention Engine Settings SNORT Signature Support Optimizing IPS Using the Whitelist Threat Indicator Settings Using Anti-Bot and Anti-Virus with VSX Using Threat Extraction with VSX Threat Prevention CLI Commands

Threat Prevention Engine Settings

This section explains how to configure advanced Threat Prevention settings that are in the Engine Settings window, including: inspection engines, the Check Point Online Web Service (ThreatCloud repository), internal email whitelist, file type support for Threat Extraction and Threat Emulation and more.

To get to the Engine Settings window, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings.

The Threat Prevention Engine Settings window opens.

Fail Mode

Select the behavior of the ThreatSpect engine if it is overloaded or fails during inspection. For example, if the Anti-Bot inspection is terminated in the middle because of an internal failure. By default, in such a situation all traffic is allowed.

• Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
• Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.

Check Point Online Web Service

The Check Point Online Web Service is used by the ThreatSpect engine for updated resource categorization. The responses the Security Gateway gets are cached locally to optimize performance.

• Block connections when the web service is unavailable
  • When selected, connections are blocked when there is no connectivity to the Check Point Online Web Service.
  • When cleared, connections are allowed when there is no connectivity (default).
• Resource categorization mode - You can select the mode that is used for resource categorization:
  • Background - connections are allowed until categorization is complete - When a connection cannot be categorized with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the categorization procedure. The response is cached locally for future requests (default).
    This option reduces latency in the categorization process.
  • Hold - connections are blocked until categorization is complete - When a connection cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.
  • Custom - configure different settings depending on the service - Lets you set different modes for Anti-Bot and Anti-Virus. For example, click Customize to set Anti-Bot to Hold mode and Anti-Virus to Background mode.

Connection Unification

Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or a site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log. For connections that are allowed or blocked in the Anti-Bot, Threat Emulation, and Anti-Virus Rule Base, the default session is 10 hours (600 minutes).

To adjust the length of a session:

1. Go to Manage & Settings > Blades > Threat Prevention > Advanced Settings > General > Connection Unification > Session unification timeout (minutes).
2. Enter the required value.
3. Click OK.

Configuring Anti-Bot Whitelist

The Suspicious Mail engine scans outgoing emails. You can create a list of email addresses or domains whose internal emails are not inspected by Anti-Bot.

To add an email address or domain whose internal emails are not scanned by Anti-Bot:

1. Go to the Manage & Settings > Blades > Threat Prevention > Advanced Settings > Anti-Bot.
2. Click the + sign.

In this window, you can also edit or remove the entries in the list.

Selecting Emulation File Types

You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an Inspect or Bypass action for the file types.

To select Threat Emulation file types that are supported in Threat Prevention profiles:

1. In SmartConsole, select Manage & Settings > Blades.
2. From the Threat Prevention section, click Advanced Settings.

   The Threat Prevention Engine Settings window opens.

3. From the Threat Emulation Settings section, click Configure file type support.

   The File Types Support window opens.

4. Select the file types that are sent for emulation. By default all file types are sent for emulation.

   The Emulation supported on column shows the emulation environments that support the file type.

5. Click OK and close the Threat Prevention Engine Settings window.
6. Install the Threat Prevention policy.

Configuring Advanced Engine Settings for Threat Extraction

Advanced Threat Extraction engine settings let you configure file type support and mail signatures for the Threat Extraction.

Configuring File Type Support

To configure file type support:

1. In the Threat Prevention Engine Settings window Threat Extraction, click Configure File Type Support.

   The Threat Extraction Supported File Types window opens.

2. From the list select the file types which the Threat Extraction blade supports.
3. Click OK.

Configuring Mail Signatures

To configure mail signatures:

1. In the Threat Prevention Engine Settings window > Threat Extraction, click Configure Mail Signatures.

   The Threat Extraction Mail Signatures window opens.

   Use this window to configure text for:

   • Mail signatures for attachments with potential threats extracted

     The first signature is always attached to an email that had threats extracted.

     The second signature is added to the first if the email recipient has access to the original file.

   • Mail signatures for unmodified attachments

     You can insert predefined field codes into the signature text, such as:

     • A link to the file before it was modified by the blade.

     The link opens the UserCheck Portal. The portal shows a list of attachments the recipient can download.

     • Reference ID.

     Use this ID to send the file to the recipient. You can also find the ID in the logs.

     On the gateway, run the command: scrub send_orig_email.

2. Click OK.

SNORT Signature Support

SNORT is a popular, open source, Network Intrusion Detection System (NIDS). For more information about SNORT see snort.org.

Check Point supports the use of SNORT rules as both the GUI and the SmartDomain Manager API’s options.

When you import a SNORT rule, it becomes a part of the IPS database.

You can perform these actions on a Check Point Management Server:

• Import existing SNORT rules from a file
• After import and conversion:

1. Snort Protection names are Snort imported: <value of the ‘msg’ field in the original SNORT rule>. See Creating SNORT Rule Files.
2. Snort Protections get these attributes automatically:
   • Performance Impact - High
   • Severity - High
   • Confidence Level - Low or Medium

• Delete the existing SNORT rules

Importing SNORT Protection Rules to the Security Management Server

Make sure you have the SNORT rule file. It holds SNORT rules and usually has the extension: .rules.

In a Multi-Domain Security Management environment, import SNORT rules to the Security Management Server. Then assign Global policy to the Domain Management Servers. This downloads the new SNORT protections to the Domain Management Servers.

To import SNORT Protection rules to the Security Management Server:

1. Connect with SmartConsole to the Security Management Server that manages the applicable Security Gateway or Security Cluster.
2. Open the applicable policy.
3. From the left navigation panel, click Security Policies.
4. In the top section of Threat Prevention, click Policy.
5. In the bottom section Threat Tools, click IPS Protections.
6. From the top toolbar, click Actions > Snort Protections > Import Snort rules.
7. Select the file with the SNORT rules and click Open.

   The tool converts the rules to Check Point syntax and updates the protections database.

   Important - SmartConsole shows the converted SNORT rules as IPS protections whose names start with Snort imported.

   

8. Publish the session.
9. Install the Threat Prevention Policy on the applicable Security Gateway or Security Cluster.

To override the profile settings for a specific SNORT protection, see Action on SNORT Protection Rules.

Deleting SNORT Protection Rules from the Security Management Server

To delete SNORT protection rules from the Security Management Server:

1. Connect with SmartConsole to the Security Management Server that manages the applicable Security Gateway or Security Cluster.
2. Open the applicable Policy.
3. From the left navigation panel, click Security Policies.
4. In the top section Threat Prevention, click Policy.
5. In the bottom section Threat Tools, click IPS Protections.
6. From the top toolbar, click Actions > Snort protections > Delete all snort protections.

   

7. Publish the session.
8. Install the Threat Prevention Policy on the applicable Security Gateway or Security Cluster.

Importing SNORT Protection Rules to the Multi-Domain Server

Make sure you have the SNORT rule file. It holds SNORT rules and usually has the extension: .rules.

In a Multi-Domain Security Management environment, import SNORT rules to the Multi-Domain Server. Then assign Global policy to the Domain Management Servers. This downloads the new SNORT protections to the Domain Management Servers.

To import SNORT rules to the Multi-Domain Server:

1. Connect with SmartConsole to the Multi-Domain Server to the MDS context.
2. From the left navigation panel, click Multi Domain > Domains.
3. Right-click on the Global Domainand select Collect to domain.
4. From the left navigation panel, click Security Policies.
5. Open the applicable global policy.
6. In the top section Threat Prevention, click Policy.
7. In the bottom section Threat Tools, click IPS Protections.

   

8. From the top toolbar, click Actions > Snort Protections > Import Snort rules.
9. Select the required file with the SNORT rules and click Open.

   The tool converts the rules to Check Point syntax and updates the protections database.

   Important - SmartConsole shows the converted SNORT rules as IPS protections whose names start with Snort imported.

10. Publish the session.
11. Close the SmartConsole connected to the Global Domain.
12. From the left navigation panel, click Multi Domain > Global Assignments.
13. Reassign the Global Policy to the Local Domains.
14. Connect with SmartConsole to the applicable Domain Management Server that manages the applicable Security Gateway or Security Cluster.
15. Install the Threat Prevention Policy on the applicable Security Gateway or Security Cluster.

To override the profile settings for a specific SNORT protection, see Action on SNORT Protection Rules.