Print Download PDF Send Feedback

Previous

Next

Threat Prevention Profiles

In This Section:

Introducing Profiles

Optimized Protection Profile Settings

Profiles Pane

Creating Profiles

Cloning Profiles

Using Local or Remote Emulation

Editing Profiles

Deleting Threat Prevention Profiles

Showing Changes to a Threat Prevention Profile

Assigning Profiles to Gateways

Introducing Profiles

Check Point Threat Prevention provides instant protection based on pre-defined Threat Prevention Profiles. You can also configure a custom Threat Prevention profile to give the exact level of protection that the organization needs.

When you install a Threat Prevention policy on the Security Gateways, they immediately begin to enforce IPS protection on network traffic.

A Threat Prevention profile determines which protections are activated, and which Software Blades are enabled for the specified rule or policy. The protections that the profile activates depend on the:

A Threat Prevention profile applies to one or more of the Threat Prevention Software Blades: IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction.

A profile is a set of configurations based on:

Without profiles, it would be necessary to configure separate rules for different activation settings and confidence levels. With profiles, you get customization and efficiency.

SmartConsole includes these default Threat Prevention profiles:

Optimized Protection Profile Settings

The Optimized profile is activated by default, because it gives excellent security with good gateway performance.

These are the goals of the Optimized profile, and the settings that achieve those goals:

Goal

Parameter

Setting

Apply settings to all the Threat Prevention Software Blades

Blades Activation

Activate the profile for IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction.

Do not have a critical effect on performance

Performance impact

Activate protections that have a Medium or lower effect on performance.

Protect against important threats

Severity

Protect against threats with a severity of Medium or above.

Reduce false-positives

Confidence

Set to Prevent the protections with an attack confidence of Medium or High.

Set to Detect the protections with a confidence of Low.

Profiles Pane

The pane shows a list of profiles that have been created, their confidence levels, and performance impact settings. The Profiles pane contains these options:

Option

Meaning

New

Creates a new profile.

View

Shows an existing profile.

Edit

Modifies an existing profile.

Clone

Creates a copy of an existing profile.

Delete

Deletes a profile.

Where Used

Shows you reference information for the profile.

Search

Searches for a profile.

Last Modified

Shows who last modified the selected profile, when and on which client.

Performance Impact

Performance impact is how much a protection affects the gateway performance. Some activated protections might cause issues with connectivity or performance. You can set protections to not be prevented or detected if they have a higher impact on gateway performance.

There are three options:

Severity

Severity of the threat. Probable damage of a successful attack to your environment.

There are three degrees of severity:

Activation Settings

Confidence Level

The confidence level is how confident the Software Blade is that recognized attacks are actually virus or bot traffic. Some attack types are more subtle than others and legitimate traffic can sometimes be mistakenly recognized as a threat. The confidence level value shows how well protections can correctly recognize a specified attack.

Creating Profiles

You can choose from multiple pre-configured Profiles, but not change them. You can create a new profile or clone a profile. When you create a new profile, it includes all the Threat Prevention Software Blades by default.

When HTTPS inspection is enabled on the Security Gateway, Threat Emulation, Anti-Bot, and Anti-Virus can analyze the applicable HTTPS traffic.

To create a new Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click a profile and select New.
  4. Configure the settings for the profile.
  5. Click OK.
  6. Install the Threat Prevention policy.

Cloning Profiles

You can create a clone of a selected profile and then make changes. You cannot change the out-of-the-box profiles: Basic, Optimized, and Strict.

To clone a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile and select Clone.
  4. The Name field shows the name of the copied profile plus _copy.
  5. Rename the profile.
  6. Click OK.
  7. Publish the changes.

Using Local or Remote Emulation

This section is for deployments that use an Emulation appliance and run emulation in the internal network.

Note - Prepare the network for the Emulation appliance before you run the First Time Configuration Wizard.

To enable an Emulation appliance for Local and Remote emulation:

  1. In SmartConsole, go to Gateways & Servers and double-click the Emulation appliance.

    The Gateway Properties window opens.

  2. From the Network Security tab, select SandBlast Threat Emulation.

    The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

  3. Select Locally on a Threat Prevention device.
  4. Click Next.

    The Summary page opens.

  5. Click Finish to enable Threat Emulation on the Emulation appliance and close the First Time Configuration Wizard.
  6. Click OK.

    The Gateway Properties window closes.

  7. For Local emulation, install the Threat Prevention policy on the Emulation appliance.

To enable Threat Emulation on the Security Gateway for Remote emulation:

  1. In SmartConsole, go to Gateways & Servers and double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the Network Security tab, select Threat Emulation.

    The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

  3. Configure the Security Gateway for Remote Emulation:
    1. Select Other Threat Emulation appliances.
    2. Click Next.
    3. Click the + sign to add the emulation appliances. For R80.10 gateways with R80.10 Jumbo Hotfix Accumulator and R77.20 gateways, you can add multiple appliances for remote emulation. For older gateways, you can select only one remote emulation appliance.
  4. Click Next.

    The Summary page opens.

  5. Click Finish to enable Threat Emulation on the Security Gateway close the First Time Configuration Wizard.
  6. Click OK.

    The Gateway Properties window closes.

  7. Install the Threat Prevention policy on the Security Gateway and the Emulation appliance.

Editing Profiles

You can change the settings of the Threat Prevention profile according to your requirements.

To edit a profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile and select Edit.

Deleting Threat Prevention Profiles

You can delete a profile, but you cannot delete the default Threat Prevention profiles.

To delete a profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Delete.

    A window opens and shows a confirmation message.

  4. Click Yes.

    If the profile is used by another object, you cannot delete it. The error message is shown in the Tasks window.

  5. Install Policy.

To show the objects that use a profile:

  1. From the Profiles page, select the profile.

    The Summary

  2. From the Where Used section in the Summary tab, click Where Used.

    The Where Used window opens and shows the profile.

  3. Right click the rule and select View in policy.

Showing Changes to a Threat Prevention Profile

You can show the Audit log and see changes that were made to a Threat Prevention profile.

To show the Audit log for a Threat Prevention profile:

  1. In SmartConsole, click Logs & Monitor.
  2. Click the Audit tab, or press CTRL + T and click Open Audit Logs View.
  3. In Enter search query, enter the name of the profile.
  4. To refine the search:
    1. Right-click the Object Type column heading and select Add Filter.
    2. Enter Threat Prevention Profile.
    3. Click the filter to add it to the search.
    4. Click OK.

      The search results are filtered to Threat Prevention profiles.

  5. To see more information about the changes to a profile, double-click the Audit log.

Assigning Profiles to Gateways

When you enable the IPS Software Blade on a pre-R80 gateway, a default IPS rule is automatically created in the IPS policy layer of the Security Policy. The Action of this rule is set according to the IPS setting of the assigned Threat Prevention Profile. You can change the profile from the Action column.

Note - Only the IPS settings from the Threat Prevention Profile apply to the IPS Policy.

To assign a profile to a gateway:

  1. In SmartConsole, select Security Policies > Threat Prevention > Policy > IPS.
  2. Click the Action cell, and select the Threat Prevention profile.
  3. Install the Access Control policy.