Threat Prevention Engine Settings

Threat Prevention Engine Settings - General

What can I do here?

Use this window advanced settings for Threat Prevention such as:

Fail mode in case of internal system error
Check Point Online Web Service
Connection Unification timeout
HTTP Inspection

Getting Here - Manage & Settings > Blades > Threat Prevention > Advanced Settings > Threat Prevention Engine Settings window > General page

Engine Settings

Fail Mode

Select the behavior of the ThreatSpect engine if it is overloaded or fails during inspection. For example, if the Anti-Bot inspection is terminated in the middle because of an internal failure. By default, in such a situation all traffic is allowed.

Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.

Check Point Online Web Service

The Check Point Online Web Service is used by the ThreatSpect engine for updated resource categorization. The responses the Security Gateway gets are cached locally to optimize performance.

Block connections when the web service is unavailable
- When selected, connections are blocked when there is no connectivity to the Check Point Online Web Service.
- When cleared, connections are allowed when there is no connectivity (default).
Resource categorization mode - You can select the mode that is used for resource categorization:
- Background - connections are allowed until categorization is complete - When a connection cannot be categorized with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the categorization procedure. The response is cached locally for future requests (default).
  This option reduces latency in the categorization process.
- Hold - connections are blocked until categorization is complete - When a connection cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.
- Custom - configure different settings depending on the service - Lets you set different modes for Anti-Bot and Anti-Virus. For example, click Customize to set Anti-Bot to Hold mode and Anti-Virus to Background mode.

Connection Unification

Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.

For connections that are allowed or blocked in the Anti-Bot and Anti-Virus Rule Base, the default session is 10 hours (600 minutes). To change this, click Session Timeout and enter a different value.

HTTP Inspection

Enable HTTP inspection on non-standard ports for Threat Prevention blades.