Configuring Threat Emulation on the Gateway

Using Local or Remote Emulation

This section is for deployments that use an Emulation appliance and run emulation in the internal network.

Note - Prepare the network for the Emulation appliance before you run the First Time Configuration Wizard.

To enable an Emulation appliance for Local and Remote emulation:

1. In SmartConsole, go to Gateways & Servers and double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the Network Security tab, select SandBlast Threat Emulation.

   The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

3. Select Locally on a Threat Prevention device.
4. Click Next.

   The Summary page opens.

5. Click Finish to enable Threat Emulation on the Emulation appliance and close the First Time Configuration Wizard.
6. Click OK.

   The Gateway Properties window closes.

7. For Local emulation, install the Threat Prevention policy on the Emulation appliance.

To enable Threat Emulation on the Security Gateway for Remote emulation:

1. In SmartConsole, go to Gateways & Servers and double-click the Security Gateway.

   The Gateway Properties window opens.

2. From the Network Security tab, select Threat Emulation.

   The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

3. Configure the Security Gateway for Remote Emulation:
   1. Select Other Threat Emulation appliances.
   2. Click Next.
   3. Click the + sign to add the emulation appliances. For R80.10 gateways with R80.10 Jumbo Hotfix Accumulator and R77.20 gateways, you can add multiple appliances for remote emulation. For older gateways, you can select only one remote emulation appliance.
4. Click Next.

   The Summary page opens.

5. Click Finish to enable Threat Emulation on the Security Gateway close the First Time Configuration Wizard.
6. Click OK.

   The Gateway Properties window closes.

7. Install the Threat Prevention policy on the Security Gateway and the Emulation appliance.

Changing the Analysis Location

When you run the Threat Emulation First Time Configuration Wizard, you select the location of the emulation analysis. You can use the Threat Emulation window in Gateway Properties to change the location.

Note - The Threat Prevention policy defines the analysis location that is used for emulation.

You can send files that are not supported on the local Emulation appliance to the ThreatCloud for emulation.

To change the location of the emulation analysis:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation.

   The Threat Emulation page opens.

3. From the Analysis Location section, select the emulation location:
   • According to the gateway - According to the gateway configuration
   • Specify -
     • Check Point ThreatCloud - Files are sent to the Check Point ThreatCloud for emulation
     • Local Gateway - Select the Security Gateway that does the emulation and of the files
     • Remote Emulation Appliances - You can select one or more appliances on which the emulation is performed
4. Optional: Select Emulate files on ThreatCloud if not supported locally.

   If files are not supported on the Emulation appliance and they are supported in the ThreatCloud, they are sent to the ThreatCloud for emulation. No additional license is necessary for these files.

5. Click OK.
6. Install the policy on the Emulation appliance.

Setting the Activation Mode

You can change the Threat Emulation protection Activation Mode of the Security Gateway or Emulation appliance. The emulation can use the Prevent action that is defined in the Threat Prevention policy or only Detect and log malware.

To configure the activation mode:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation.

   The Threat Emulation page opens.

3. From the Activation Mode section, select one of these options:
   • According to policy
   • Detect only
4. Click OK and then install the policy.

Optimizing System Resources

The Resource Allocation settings are only for deployments that use an Emulation appliance. Threat Emulation uses system resources for emulation to identify malware and suspicious behavior. You can use the Resource Allocation settings to configure how much of the Emulation appliance resources are used for emulation. When you change these settings, it can affect the network and emulation performance. You can configure the settings for these system resources:

Minimum available hard disk space (If no emulation is done on a file, the Threat Prevention Fail Mode settings determine if the file is allowed or blocked)

Maximum available RAM that can be used for Virtual Machines

If you plan to change the available RAM, these are the recommended settings:

If the appliance is only used for Threat Emulation, increase the available RAM

If the appliance is also used for other Software Blades, decrease the available RAM

To optimize the system resources for the Emulation appliance:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation > Advanced.

   The Advanced page opens.

3. Stopping the emulation is determined when the Log storage mechanism automatically deletes log files. Therefore, in order to change the relevant configured value (Note - It also affects the Log's files deletion). Navigate to Logs > Local Storage. And from When disk space is below <value> Start deleting old files, you can then change the <value>. Default is 5GB.
4. To configure the maximum amount of RAM that is available for emulation, select Limit memory allocation.

   The default value is 70% of the total RAM on the appliance.

5. Optional: To change the amount of available RAM:
   1. Click Configure.

      The Memory Allocation Configuration window opens.

   2. Enter the value for the memory limit:
      • % of total memory - Percentage of the total RAM that Threat Emulation can use. Valid values are between 20 - 90%.
      • MB - Total MB of RAM that Threat Emulation can use. Valid values are between 512MB - 1000GB.
   3. Click OK.
6. From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation:
   • None - No action is done
   • Log - The action is logged
   • Alert - An alert is sent to SmartView Monitor
7. Click OK and then install the policy.

Managing Images for Emulation

You can define the operating system images that Threat Emulation uses, for each appliance, and for each Threat Emulation profile. If different images are defined for a profile and for an appliance, Threat Emulation will use the images that are selected in both places. An image that is selected only for the appliance or for the profile will not be used for emulation.

To manage the images that the appliance uses for emulation:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation > Advanced.

   The Advanced page opens.

3. From the Image Management section, select the applicable option for your network:
   • Use all the images that are assigned in the policy - The images that are configured in the Emulation Environment window are used for emulation.
   • Use specific images - Select one of more images that the Security Gateway can use for emulation.
4. Click OK and then install the policy.