Threat Prevention Scheduled Updates

In This Section: Introduction to Scheduled Updates Configuring Threat Prevention Scheduled Updates Checking Update Status Turning Off IPS Automatic Updates on a Gateway IPS Updates Use Cases

Introduction to Scheduled Updates

Check Point wants the customer to be protected. When a protection update is available, Check Point wants the configuration to be automatically enforced on the gateway. You can configure automatic gateway updates for the Anti-Virus, Anti-Bot, Threat Emulation and IPS blades.

For the Anti-Virus, Anti-Bot and Threat Emulation, the gateways download the updates directly from the Check Point cloud.

For the IPS blade, prior to R80.20, the updates were downloaded to the Security Management Server, and only after you installed policy, the gateways could enforce the updates. Starting from R80.20, the gateways can directly download the updates. For R80.20 gateways and higher with no internet connectivity, you must still install policy to enforce the updates.

When you configure automatic IPS updates on the gateway, the action for the newly downloaded protections is by default according to the profile settings.

IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default. Threat Emulation engine updates are performed daily at 05:00 by default, and Threat Emulation image updates are performed daily at 04:00 by default.

You can see the list of Anti-Bot and Anti-Virus protections in Threat Tools > Protections, and the list of IPS protections in Threat Tools > IPS Protections. The update date appears next to each protection.

Configuring Threat Prevention Scheduled Updates

To configure Threat Prevention scheduled updates:

1. In SmartConsole, go to the Security Policies page and select Threat Prevention.
2. In the Threat Tools section of the Threat Prevention Policy, click Updates.
3. In the section for the applicable Software Blade, click Schedule Update.

   The Scheduled Updates window opens.

4. Make sure Enable <blade> scheduled updates is selected.
5. For IPS, there are 2 more configuration options for scheduling Security Management Server updates:
   • On successful IPS update on the Security Management Server, install policy on the Security Gateway - automatically installs the policy on the devices you select after the IPS update is completed. Click Configure to select these devices.

     Note - In pre-R80 gateways, IPS was part of the Access Control policy. Therefore, when you select this option, a message shows which indicates that for pre-R80 gateways, the Access Control policy is installed and for R80 and above gateways, the Threat Prevention policy is installed.

   • Perform retries on the Security Management Server when the update fails - lets you configure the number of tries the scheduled update makes if it does not complete successfully the first time.
6. Click Configure.
7. In the window that opens, set the Time of event:
   • Update every: set the update frequency by hours

   OR:

   • Update at: set the update frequency by days:
     • Daily - Every day
     • Days in week - Select days of the week
     • Days in month - Select dates of the month
8. Click OK.
9. Click Close.
10. Install Policy.

Checking Update Status

In Threat Tools > Update, a message shows which indicates the number of gateways which are up-to-date.

To check if the protections are update on a specific gateway:

1. In the Gateways & Servers view, select a gateway.
2. Click the Monitor button.

   The Device & License Information window opens.

3. The Device Status page shows the gateway status.

Turning Off IPS Automatic Updates on a Gateway

You can turn off automatic IPS updates on a specific gateway.

To turn off automatic IPS updates on a specific gateway:

1. In SmartConsole, to the Gateways & Servers view, and double-click a gateway.

   The gateway properties window opens.

2. In the navigation tree, go to the IPS page.
3. In IPS Update Policy, select Use IPS management updates
4. Click OK.
5. Install Policy.

IPS Updates Use Cases

These scenarios explain how an upgrade of the Security Gateways or the Security Management Server or both, affects the Scheduled Updates configuration.

Scenario 1: Upgrading the Security Management Server to R80.20, and not upgrading the gateways to R80.20

If you do not upgrade the gateways, then after the upgrade, the gateways are still not able to receive the updates independently, only through the Security Management Server. In this case, the configuration stays the same compared to before the upgrade: Scheduled Updates will be enabled or disabled on the Security Management Server, depending on the configuration before the upgrade.

Scenario 2: Upgrading the gateways to R80.20 (with or without Security Management Server upgrade)

• If, before the upgrade, Scheduled Updates were configured on the Security Management Server with automatic policy installation, then after the upgrade, automatic IPS updates are still enabled on theSecurity Management Server, and are also applied to the upgraded gateways.
• If Scheduled Updates were disabled on the Security Management Server before the upgrade, then they remain disabled after the upgrade, both on the Security Management Server and the gateways.
• If, before the upgrade, Scheduled Updates were configured on the Security Management Server without automatic policy installation - then during the first policy installation after upgrade, a message shows which indicates that R80.20 gateways and above automatically update the IPS Protections. For older gateways than R80.20, you must install policy to apply the updates.