Out-of-the-Box Protection from Threats

In This Section:

Getting Quickly Up and Running with the Threat Prevention Policy

You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.

To get quickly up and running with Threat Prevention:

Enable the Threat Prevention blades on the gateway.
Install Policy.

After you enable the blades and install the policy, this rule is generated:

Name	Protected Scope	Action	Track	Install On
Out-of-the-box Threat Prevention policy	`*Any`	Optimized	`Log` `Packet Capture`	`*Policy Targets`

Name

Protected Scope

Action

Track

Install On

Out-of-the-box Threat Prevention policy

*Any

Optimized

Log

Packet Capture

*Policy Targets

Notes:

The Optimized profile is installed by default.
The Protection/Site column is used only for protection exceptions.

Enabling the Threat Prevention Software Blades

Enabling the IPS Software Blade

Enable the IPS Software Blade on the Security Gateway.

To enable the IPS Software Blade:

In the Gateways & Servers view, double-click the gateway object.
The General Properties window opens.
In the General Properties > Network Security tab, click IPS.
Follow the steps in the wizard that opens.
Click OK.
Click OK in the General Properties window.
Install Policy.

Enabling the Anti-Bot Software Blade

To enable the Anti-Bot Software Blade on a Security Gateway:

In the Gateways & Servers view, double-click the gateway object.
The General Properties window of the gateway opens.
From the Network Security tab, select Anti-Bot.
The Anti-Bot and Anti-Virus First Time Activation window opens.
Select an activation mode option:
- According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Bot Software Blade and use the Anti-Bot settings of the Threat Prevention profile in the Threat Prevention policy.
- Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
Click OK.
Install Policy.

Enabling the Anti-Virus Software Blade

Enable the Anti-Virus Software Blade on a Security Gateway.

To enable the Anti-Virus Software Blade:

In the Gateways & Servers view, double-click the gateway object.
The General Properties window of the gateway opens.
From the Network Security tab, click Anti-Bot.
The Anti-Bot and Anti-Virus First Time Activation window opens.
Select one of the activation mode options:
- According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Virus Software Blade and use the Anti-Virus settings of the Threat Prevention profile in the Threat Prevention policy.
- Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
Click OK
Install Policy.

Enabling SandBlast Threat Emulation Software Blade

To enable the Threat Emulation Blade:

In the Gateways & Servers view, double-click the Security Gateway object.
The Gateway Properties window opens.
From the Network Security tab, select SandBlast Threat Emulation.
The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
Select the Emulation Location.
Click Next.
The Summary page opens.
Click Finish to enable Threat Emulation and close the First Time Configuration Wizard.
Click OK.
The Gateway Properties window closes.
Install Policy.

Using Cloud Emulation

Files are sent to the Check Point ThreatCloud over a secure SSL connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

Best Practice - For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.

Enabling the SandBlast Threat Extraction Blade

To enable the Threat Extraction Blade:

In the Gateways & Servers view, double-click the gateway object.
The General Properties window of the gateway opens
Go to the Network Security tab, and select Threat Extraction.
The Threat Extraction First Time Activation Wizard opens:
1. If you want Threat Extraction to scan mail attachments, configure the Domain and Next Hop. If not, select Skip this configuration now.
2. Click Next.
3. Click Finish.
Note - In a ClusterXL High Availability environment, do this once for the cluster object.

After you enable the Threat Extraction blade on the gateway, configure Threat Extraction to scan one or all of these types of documents:

For Threat Extraction to scan e-mail attachments, Enable the gateway as a Mail Transfer Agent (MTA).
From R80.30, Threat Extraction can also scan web downloads. To enable this, SmartConsole, go to the Security Policies view > Threat Prevention > Threat Tools > Profiles > double-click a profile > Threat Extraction > General > Protocol, and select Web (HTTP/HTTPS).
For Threat Extraction API support, in the gateway editor, go to Threat Extraction > Web API > Enable API.

Configuring LDAP

If you use LDAP for user authentication, you must activate User Directory for Security Gateways.

To activate User Directory:

Open SmartConsole > Global Properties.
On the User Directory page, select Use User Directory for Security Gateways.
Click OK.

Installing the Threat Prevention Policy

The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

To install the Threat Prevention policy:

From the Global toolbar, click Install Policy.
The Install Policy window opens showing the installation targets (Security Gateways).
Select Threat Prevention.
Select Install Mode:
- Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
  If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
- Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
Click OK.

Predefined Rule

When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any) is inspected for all protections according to the Optimized profile. By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.

The result of this rule (according to the Optimized profile) is that:

When an attack meets the below criteria, the protections are set to Prevent mode:
- Confidence Level - Medium or above
- Performance Impact - Medium or above
- Severity - Medium or above
When an attack meets the below criteria, the protections are set to Detect mode:
- Confidence Level - Low
- Performance Impact - Medium or above
- Severity - Medium or above

Use the Logs & Monitor page to show logs related to Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.

You can add more exceptions that prevent or detect specified protections or have different tracking settings.