In This Section: |
Create and manage the policy for the Threat Prevention Software Blade as part of the Threat Prevention Policy.
Click the Add Rule button to get started.
Best Practice - Disable a rule when you work on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Gateway. To disable a rule, right click in the No. column of the rule and select Disable.
To configure IPS settings for a Threat Prevention profile:
The Profiles page opens.
Note - These categories are different from the protections in the Additional Activation page.
For additional granularity, in the Additional Activation section of the Profile configuration window, you can select IPS protections to activate and to deactivate. The IPS protections are arranged into tags (categories) such as Product, Vendor, Threat Year, and others, for the ease of search. The gateways enforce activated protections, and do not enforce deactivated protections, regardless of the general profile protection settings.
These categories only filter out or add protections that comply with the activation mode thresholds (Confidence, Severity, Performance).
For example, if a protection is inactive because of its Performance rating, it is not enabled even if its category is in Protections to activate.
There are numerous protections available in IPS. It takes time to become familiar with those that are relevant to your environment. Some are easily configured for basic security and can be safely activated automatically.
In the Threat Prevention profile, you can configure an updates policy for IPS protections that were newly updated. You can do this with the IPS > Updates page in the Profiles navigation tree. Select one of these settings for Newly Updated Protections:
Set activation as staging mode - Selected by default. Newly updated protections will remain in staging mode until you change their configuration. The default action for the protections is Detect. You can change the action manually in the IPS Protections page.
Click Configure to exclude protections from the staging mode.
Best Practice - Allow IPS to activate protections based on the IPS policy in the beginning. During this time, you can analyze the alerts that IPS generates and how it handles network traffic, while you minimize the impact on the flow of traffic. Then you can manually change the protection settings to suit your needs.
The Pre-R80 Settings are relevant for the pre-R80 gateways only.
Protections Activation
Activate protections of the following types:
If a network has only clients or only servers, you can enhance gateway performance by deactivation of protections. If you select Client Protections and Server Protections, all protections are activated, except for those that are:
Excluded Protections Categories
Do not activate protections of the following categories - The IPS protection categories you select here are not automatically activated. They are excluded from the Threat Prevention policy rule that has this profile in the action of the Rule Base.
To configure the Anti-Bot settings for a Threat Prevention profile:
The Profiles page opens.
To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|
*Any |
Optimized |
Log Packet Capture |
*Policy Targets |
To block bots in your organization:
The First Time Activation window opens.
You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile.
Alternatively, add a new Threat Prevention rule:
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?
In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:
Name |
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|---|
Monitor Bot activity |
|
A profile that has these changes relative to the Optimized profile: Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect. |
|
|
To monitor all bot activity:
The Profiles page opens.
This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.
The first rule that matches is applied.
You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers. These settings are based on the interface type (internal or external, as defined in SmartConsole) and traffic direction (incoming or outgoing).
Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:
The gateway window opens and shows the General Properties page.
Perform this procedure for each interface that goes to the DMZ.
You can configure the Anti-Virus profile to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. If you use this feature, it can have an impact on network performance.
Note - The MIME Nesting settings are the same for Anti-Virus and Threat Emulation. |
To configure Anti-Virus settings for a Threat Prevention profile:
The Profiles page opens.
Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:
The Anti-Virus Mail Configuration window opens.
To enable Archive Scanning:
The default setting is Allow.
To block viruses and malware in your organization:
The First Time Activation window opens.
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:
The gateway window opens and shows the General Properties page.
Do this procedure for each interface that goes to the DMZ.
If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.
Note - The MIME Nesting settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.
To configure Threat Emulation settings for a Threat Prevention profile:
The Profiles page opens.
Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:
The Threat Prevention Mail Configuration window opens.
What are the available emulation actions that I can use with a Threat Emulation profile?
Note - To estimate the system requirements and amount of file emulations for a network, go to sk93598.
Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.
This section is for deployments that use an Emulation appliance and run emulation in the internal network.
Note - Prepare the network for the Emulation appliance before you run the First Time Configuration Wizard.
To enable an Emulation appliance for Local and Remote emulation:
The Gateway Properties window opens.
The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
The Summary page opens.
The Gateway Properties window closes.
To enable Threat Emulation on the Security Gateway for Remote emulation:
The Gateway Properties window opens.
The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
The Summary page opens.
The Gateway Properties window closes.
You can use the Emulation Environment window to configure the emulation location and images that are used for this profile.
The Analysis Locations section lets you select where the emulation is done.
The Environments section lets you select the operating system images on which the emulation is run. If the images defined in the profile and the Security Gateway or Emulation appliance are different, the profile settings are used.
These are the options to select the emulation images:
To configure the virtual environment settings for the profile:
The Emulation Environment page opens.
You can configure the Threat Emulation Action and Emulation Location for each file type in the Threat Prevention profile.
To configure the file type settings for a profile:
The Threat Emulation Supported File Types window opens.
You can enter email addresses that are not included in Threat Emulation protection. SMTP traffic that is sent to or from these addresses is not sent for emulation.
Note - If you want to do emulation on outgoing emails, make sure that you set the Protected Scope to Inspect incoming and outgoing files.
To exclude emails from Threat Emulation:
Emails and attachments that are sent to these addresses will not be sent for emulation.
Emails and attachments that are received from these addresses will not be sent for emulation.
Note - You can also use a wildcard character to exclude more than one email address from a domain.
You can enable the Security Gateway as an MTA (Mail Transfer Agent) to manage the emulation of SMTP traffic. It is possible that during file emulation, the email server cannot keep the connection open for the time that is necessary for full emulation. When this happens, there is a timeout for the email. A Threat Emulation deployment with an MTA avoids this problem, the MTA completes and closes the connection with the source email server and then sends the file for emulation. After the emulation is complete, the MTA sends the email to the mail server in the internal network.
Note - MTA configuration also applies to VSX gateways.
To use the Security Gateway as an MTA:
Note - When you enable a gateway as an MTA, an implied rule is created which opens port 25 on the gateway. To disable this implied rule, see sk110758.
For a topology that uses TLS between the Security Gateway and the mail server, you must import the mail server certificate to the Security Gateway.
To enable the Security Gateway as an MTA:
The Mail Transfer Agent page opens.
You can also configure the MTA to only run emulation and not forward emails to the mail server.
The Import Outbound Certificate window opens.
After you configure the Security Gateway as an MTA, change the settings to send SMTP traffic from external networks to the Security Gateway. Each organization has an MX record that points to the internal mail server, or a different MTA. The MX record defines the next hop for SMTP traffic that is sent to the organization. These procedures explain how to change the network settings to send SMTP to the Check Point MTA.
Important - If it is necessary to disable the MTA on the Security Gateway, change the SMTP settings or MX records first. Failure to do so can result in lost emails. |
To configure an MTA for email that is sent to the internal mail server:
To configure an MTA for email that is sent to a different MTA:
You can use the Check Point MTA to only monitor SMTP traffic. Configure the MTA to send emails only for emulation, but not to forward them to the mail server.
Note - Make sure that the mail relay in the network can send a copy of the emails to the Check Point MTA. |
To configure the MTA not to forward emails:
The Mail Transfer Agent page opens.
The Host Node window opens.
No_Forward
0.0.0.0
The Host Node window closes, and the server object is added to the Next Hop cell.
To configure Threat Extraction settings for a Threat Prevention profile:
The Profiles properties window opens.
Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.
On the Threat Extraction > General page, you can configure these settings:
Note - This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
Select a message to show the user when the user receives the clean file. In this message, the user selects if they want to download the original file or not. To select the success or cancelation messages of the file download, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings > UserCheck. You can create or edit UserCheck messages on the UserCheck page.
Send Original Mail is added to the message body.
Click Configure to set the maximum MIME nesting level for emails that contained nested MIME content.
Click Configure to select which malicious parts the blade extracts. For example, macros, JavaScript, images and so on.
Converts the file to PDF, and keeps text and formatting.
Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.
Set a low, medium or high confidence level. This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
Select this option if you want to configure a different extraction method for certain file types. Click Configure to see the list of enabled file types and their extraction methods. To change the extraction method for a file type, right-click the file type and select: bypass, clean or convert to pdf.
Notes:
On the Threat Extraction > Exclude/Include Users page, you can configure these settings:
Click Exceptions to not include specified users, groups, recipients or senders.
Click Configure to select specified User Groups, Recipients or Senders.
Note:
A user is an object that can contain an email address with other details.
A group is an AD group or LDAP group of users
A recipient is an email address only.
Important: In the Application menu > Global Properties > User Directory, make sure that you selected the Use User Directory for Security Gateways option
On the Threat Extraction > Advanced page, you can configure these settings:
Block or Allow corrupted files attached to the email. Corrupted files are files the blade fails to process, possibly because the format is incorrect. Despite the incorrect format, the related application (Word, Adobe Reader) can sometimes show the content.
Block removes the corrupt attachment and sends the recipient a text describing how the attachment contained potentially malicious content. You can block corrupt files if they are malicious according to Threat Emulation. If the action is block, you can deny access to the original corrupted file.
Allow lets the recipient receive the corrupt file attachment.
Block or Allow encrypted files attached to the email.
Block removes the encrypted attachment and sends the recipient a text file describing how the attachment contained potentially malicious content.
If the action is block, you can also deny access to the original encrypted file.
Allow lets the recipient receive the encrypted attachment.
Allow or Clean signed emails.
Signed emails are not encrypted, but the mail contents are signed to authenticate the sender. If the received email differs from the email that was sent, the recipient gets a warning. The digital signature is no longer valid.
Clean replaces the original attachment with an attachment cleaned of threats, or converts the attachment to PDF form. Both actions invalidate the digital signature. If the attachment does not include active content, the mail remains unmodified and the digital signature valid.
Allow does not change the email. The digital signature remains valid. Select this option to prevent altering digital signatures.
The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateways external IP address as the DNS trap address but:
You can also add internal DNS servers to better identify the origin of malicious DNS requests.
Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.
At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.
To set the Malware DNS Trap parameters for the profile:
The Profiles page opens.
To set the Malware DNS Trap parameters for a gateway:
The gateway window opens and shows the General Properties page.
Inspection of Links Inside Mail scans URL links in the body of email messages, subject, or .txt attachments, and checks them against the URL reputation database. The email messages that contain malicious URL links are blocked.
Inspection of Links Inside Mail is on by default, and scans incoming mail with Anti-Virus Software Blade and outgoing mail with Anti-Bot Software Blade.
To turn Inspection of Links Inside Mail off:
Note - for each Software Blade (Anti-Bot and Anti-Virus) you must turn off the Links Inside Mail separately.
To turn Inspection of Links Inside Mail on:
To configure Link Inspection Inside Mail:
The Links inside mail page opens.
If necessary, you can add an exception directly to a rule. An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule. In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it. For example: The Research and Development (R&D) network protections are included in a profile with the Prevent action. You can define an exception which sets the specific R&D network to Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are stricter than the profile action.
You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the No. column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.
You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.
You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.
To add an exception to a rule:
Note - You cannot set an exception rule to an inactive protection or an inactive blade.
Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?
In this example, create this Threat Prevention rule, and install the Threat Prevention policy:
Name |
Protected Scope |
Protection/Site |
Action |
Track |
Install On |
---|---|---|---|---|---|
Monitor Bot Activity |
|
|
A profile based on the Optimized profile. Edit this profile > go to the General Policy pane> in the Activation Mode section, set every Confidence to Prevent. |
Log |
Policy Targets |
Exclude |
Server_1 |
|
Detect |
Log |
Server_1 |
To add an exception to a rule:
Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.
You can also configure an exception for an entire blade.
To configure a blade exception:
To create an exception from an IPS protection:
An exception group is a container for one or more exceptions. You can attach an exception group to all rules or only to some rules. With exception groups, you can manage your exceptions more easily, because you can attach the same exception group to multiple rules, instead of manually define exceptions for each rule.
The Exception Groups pane shows a list of exception groups that were created, the rules that use them, and any comments related to the defined group. The Exceptions Groups pane contains these options:
Option |
Meaning |
---|---|
New |
Creates a new exception group. |
Edit |
Modifies an existing exception group. |
Delete |
Deletes an exception group. |
Search |
Search for an exception group. |
Global Exceptions
The system comes with a predefined group named Global Exceptions. Exceptions that you define in the Global Exceptions group are automatically added to every rule in the Rule Base. For other exception groups, you can decide to which rules to add them.
Exception Groups in the Rule Base
Global exceptions and other exception groups are added as shaded rows below the rule in the Rule Base. Each exception group is labeled with a tab that shows the exception group's name. The exceptions within a group are identified in the No column using the syntax: E - <rule number>.<exception number>
, where E
identifies the line as an exception. For example, if there is a Global Exceptions group that contains two exceptions, all rules show the exception rows in the Rule Base No column as E-1.1 and E-1.2. Note that the numbering of exception varies when you move the exceptions within a rule.
To view exception groups in the Rule Base:
Click the plus or minus sign next to the rule number in the No. column to expand or collapse the rule exceptions and exception groups.
When you create an exception group, you create a container for one or more exceptions. After you create the group, add exceptions to them. You can then add the group to rules that require the exception group in the Threat Prevention Rule Base.
To create an exception group:
To use exception groups, you must add exception rules to them.
To add exceptions to an exception group:
You can add exception groups to Threat Prevention rules. This only applies to exception groups that are configured to Manually attach to a rule.
To add an exception group to the Rule Base:
In some cases, after evaluating a log or an event in the Logs & Monitor view, it may be necessary to update a rule exception in the SmartConsole Rule Base. You can do this directly from within the Logs & Monitor view. You can apply the exception to a specified rule or apply the exception to all rules that show under Global Exceptions.
To update a rule exception or global exception from a log: