In This Section: |
You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.
To get quickly up and running with Threat Prevention:
After you enable the blades and install the policy, this rule is generated:
Name |
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|---|
Out-of-the-box Threat Prevention policy |
|
Optimized |
|
|
Notes:
Enable the IPS Software Blade on the Security Gateway.
To enable the IPS Software Blade:
The General Properties window opens.
To enable the Anti-Bot Software Blade on a Security Gateway:
The General Properties window of the gateway opens.
The Anti-Bot and Anti-Virus First Time Activation window opens.
Enable the Anti-Virus Software Blade on a Security Gateway.
To enable the Anti-Virus Software Blade:
The General Properties window of the gateway opens.
The Anti-Bot and Anti-Virus First Time Activation window opens.
To enable the Threat Emulation Blade:
The Gateway Properties window opens.
The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
The Summary page opens.
The Gateway Properties window closes.
Files are sent to the Check Point ThreatCloud over a secure SSL connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.
Best Practice - For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.
To enable the Threat Extraction Blade:
The General Properties window of the gateway opens
The Threat Extraction First Time Activation Wizard opens:
Note - In a ClusterXL High Availability environment, do this once for the cluster object.
Configuring LDAP
If you use LDAP for user authentication, you must activate User Directory for Security Gateways.
To activate User Directory:
The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.
To install the Threat Prevention policy:
The Install Policy window opens showing the installation targets (Security Gateways).
If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any) is inspected for all protections according to the Optimized profile. By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.
The result of this rule (according to the Optimized profile) is that:
Use the Logs & Monitor page to show logs related to Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.
You can add more exceptions that prevent or detect specified protections or have different tracking settings.