Configuring Threat Extraction on the Gateway

In This Section: Configuring Threat Extraction on the Security Gateway Configuring Threat Extraction in a Cluster Threat Extraction Statistics Using the Gateway CLI Backup to External Storage

Configuring Threat Extraction on the Security Gateway

To configure the Threat Extraction blade on the gateway:

1. Enable the Threat Extraction Blade:
   1. On the General Properties > Network Security tab, select Threat Extraction.

      The Threat Extraction First Time Activation Wizard opens.

   2. Configure the Domain and Next Hop.
   3. Click Next.
   4. Click Finish.
2. Enable the gateway as a Mail Transfer Agent (MTA).
3. In the Gateways & Servers view, open the gateway properties > Threat Extraction page.
4. Make sure the Activation Mode is set to Active.
5. In the Resource Allocation section, configure the resource settings.
6. Click OK.
7. Install the Access Control Policy.

Configuring Threat Extraction in a Cluster

The Cluster configuration is similar to gateway configuration, except for specific instructions that are only relevant to cluster.

To configure Threat Extraction in a cluster:

1. In the Gateways & Servers view, right-click the cluster and click edit.
2. Open the ClusterXL and VRRP page.
3. Select High Availability.

Notes:

• Load Sharing is not supported.
• The original files are synchronized between the two members of the cluster, so in case of failure, there is still access to the original files.

Threat Extraction Statistics

You can see Threat Extraction statistics in the CLI:

1. Open the command line interface of the gateway with the Threat Extraction enabled.
2. Run these commands:
   • cpview
   • cpstat scrub -f threat_extraction_statistics

Using the Gateway CLI

The gateway has a Threat Extraction menu to:

• Control debug messages
• Get information on queues
• Send the initial email attachments to recipients
• Download updates automatically from the ThreatCloud

To use the Threat Extraction command line:

1. Log in to the Security Gateway.
2. Enter expert mode.
3. Enter: scrub

   A menu shows these options:

   Option	Description
   debug	Controls debug messages.
   queues	Shows information on Threat Extraction queues. This command helps you understand the queue status and load on the mail transfer agent (MTA) and the scrubd daemon. The command shows: Number of pending requests from the MTA to the scrubd daemon Maximum number pending requests from the MTA to the scrubd daemon Current number of pending requests from scrubd to scrub_cp_file_convert Maximum number of pending requests from scrubd to scrub_cp_file_convert
   send_orig_email	Sends original email to recipients. To send the original email get: The reference number - Click on link in the email received by the user. The email ID - Found in the Logs & Monitor logs or debug logs.
   bypass	Bypasses all files. Use this command to debug issues with the scrub (Threat Extraction) daemon. When you set bypass to active, requests from the mail transfer agent (MTA) to the scrub daemon are not handled. Threat Extraction is suspended. No files are cleaned.
   counters	shows and resets counters.
   update	manages updates from the download center
   send_orig_file	sends original file by email
   cache	shows and resets cache
   backup_expired_mail	backs up expired mails to external storage

Backup to External Storage

When you run out of disk space, you can back e-mail attachments or web downloads to external storage.

Notes:

• In a cluster, both members must have the same configuration.
• End-users cannot access files in external storage, only the administrator can access these files.

To backup original files to external storage:

1. Create the backup folder.

   Run: mkdir /mnt/<local_backup_folder>

2. Mount the backup folder to the remote folder.

   Run: mount -t cifs <remote_folder> /mnt/<local_backup_folder>

   Example: mount -t cifs //MyServer/MyBackupFolder /mnt/MyLocalBackupFolder

   Best Practice - To preserve the mount configuration after reboot, configure a Scheduled Job to the applicable "mount" command "At startup" (in the Gaia portal, go to System Management>Job Scheduler).

3. Edit $FWDIR/conf/scrub_debug.conf, and search for :external_storage.
   1. Change the enabled value from "0" to "1".
   2. In the external_path parameter, write the full path to the local backup folder:
   3. The expired_in_days parameter sets the backup date. The value you enter for this parameter specifies how many days before expiration the backup is performed.

   Example:

   :external_storage (

   :enabled (1)

   :external_path ("/mnt/MyLocalBackupFolder")

   :expired_in_days (5)

To manually test the backup:

1. Run this command: scrub backup_expired_mail <days for expired entries> <external_path>

   In days for expired entries enter "0".