Configuring Threat Extraction on the Gateway

In This Section: Configuring Threat Extraction on the Security Gateway Threat Extraction and Endpoint Security Configuring Threat Extraction in a Cluster Threat Extraction Statistics Using the Gateway CLI Storage of Original Files

Configuring Threat Extraction on the Security Gateway

To configure the Threat Extraction blade on the gateway:

1. Enable the Threat Extraction Blade:
   1. On the General Properties > Network Security tab, select Threat Extraction.

      The Threat Extraction First Time Activation Wizard opens.

   2. Optional: If you want Threat Extraction to scan email attachments, you must enable the MTA and configure the Domain and Next Hop.

      If you do not want Threat Extraction to scan email attachments, click Skip this configuration now.

   3. Click Next.
   4. Click Finish.
2. In the Gateways & Servers view, open the gateway properties > Threat Extraction page.
3. Make sure the Activation Mode is set to Active.
4. In the Resource Allocation section, configure the resource settings.
5. Click OK.
6. Install the Access Control Policy.

In addition to configuring Threat Extraction on the gateway, enable Threat Extraction to scan one or all of these types of documents:

• For Threat Extraction to scan e-mail attachments, Enable the gateway as a Mail Transfer Agent (MTA).
• For Threat Extraction to scan web downloads, in SmartConsole, go to the Security Policies view > Threat Prevention > Threat Tools > Profiles > double-click a profile > Threat Extraction > General > Protocol, and select Web (HTTP/HTTPS).
• For Threat Extraction API support, in the gateway editor, go to Threat Extraction > Web API > Enable API.

Threat Extraction and Endpoint Security

When both the Threat Extraction blade and the SandBlast Agent for Browsers are activated on the network Security Gateway, a special configuration is required. Without this configuration, when you download a file, it can be cleaned twice, both by the Threat Extraction blade and by the SandBlast Agent.

To prevent this, the Security Gateway adds a digital signature to all the files cleaned by the Threat Extraction blade. When the SandBlast Agent intercepts a downloaded file. If the digital signature is verified successfully, the SandBlast Agent does not send the file for cleaning, so the file is not cleaned twice.

For details on how to configure the digital signature on the Security Gateway and how to configure the Endpoint management, see sk142732.

Configuring Threat Extraction in a Cluster

The Cluster configuration is similar to gateway configuration, except for specific instructions that are only relevant to cluster.

To configure Threat Extraction in a cluster:

1. In the Gateways & Servers view, right-click the cluster and click edit.
2. Open the ClusterXL and VRRP page.
3. Select High Availability.

Notes:

• Load Sharing is not supported.
• The original files are synchronized between the two members of the cluster, so in case of failure, there is still access to the original files.

Threat Extraction Statistics

You can see Threat Extraction statistics in the CLI:

1. Open the command line interface of the gateway with the Threat Extraction enabled.
2. Run these commands:
   • cpview
   • cpstat scrub -f threat_extraction_statistics

Using the Gateway CLI

The gateway has a Threat Extraction menu to:

• Control debug messages
• Get information on queues
• Send the initial email attachments to recipients
• Download updates automatically from the ThreatCloud

To use the Threat Extraction command line:

1. Log in to the Security Gateway.
2. Enter expert mode.
3. Enter: scrub

   A menu shows these options:

   Option	Description
   debug	Controls debug messages.
   queues	Shows information on Threat Extraction queues. This command helps you understand the queue status and load on the mail transfer agent (MTA) and the scrubd daemon. The command shows: Number of pending requests from the MTA to the scrubd daemon Maximum number pending requests from the MTA to the scrubd daemon Current number of pending requests from scrubd to scrub_cp_file_convert Maximum number of pending requests from scrubd to scrub_cp_file_convert
   send_orig_email	Sends original email to recipients. To send the original email get: The reference number - Click on link in the email received by the user. The email ID - Found in the Logs & Monitor logs or debug logs.
   bypass	Bypasses all files. Use this command to debug issues with the scrub (Threat Extraction) daemon. When you set bypass to active, requests from the mail transfer agent (MTA) to the scrub daemon are not handled. Threat Extraction is suspended. No files are cleaned.
   counters	shows and resets counters.
   update	manages updates from the download center
   send_orig_file	sends original file by email
   cache	shows and resets cache
   backup_expired_mail	backs up expired mails to external storage

Storage of Original Files

The Threat Extraction blade reconstructs files (cleans or converts files to pdf) to eliminate potentially malicious content. After the Threat Extraction blade reconstructs the files, the original files are saved on the gateway for a default period.

Mail attachments

Mail attachments are saved for a default period of 14 days.

To configure a different number of days for storage of mail attachments:

1. In SmartConsole, go to the gateway editor > Threat Extraction > Resource Allocation > Delete stored original files older than x Days.
2. Change the number of days as required. The maximum is 45 days.

To save the files for a longer period, you must back them up to external storage.

Web downloads

Web downloads are saved for a default period of 2 days.

To configure a different the number of days for storage of web downloads:

1. Edit $FWDIR/conf/scrub_debug.conf
2. Search for http_keep_original_duration and change the value as required. Value can be between 2 and 45 days.

To save the files for a longer period, you must back them up to external storage.

Backup to External Storage

When you run out of disk space, you can back e-mail attachments or web downloads to external storage.

Notes:

• In a cluster, both members must have the same configuration.
• End-users cannot access files in external storage, only the administrator can access these files.

To backup original files to external storage:

1. Create the backup folder.

   Run: mkdir /mnt/<local_backup_folder>

2. Mount the backup folder to the remote folder.

   Run: mount -t cifs <remote_folder> /mnt/<local_backup_folder>

   Example: mount -t cifs //MyServer/MyBackupFolder /mnt/MyLocalBackupFolder

   Best Practice - To preserve the mount configuration after reboot, configure a Scheduled Job to the applicable "mount" command "At startup" (in the Gaia portal, go to System Management>Job Scheduler).

3. Edit $FWDIR/conf/scrub_debug.conf, and search for :external_storage.
   1. Change the enabled value from "0" to "1".
   2. In the external_path parameter, write the full path to the local backup folder:
   3. The expired_in_days parameter sets the backup date. The value you enter for this parameter specifies how many days before expiration the backup is performed.

   Example:

   :external_storage (

   :enabled (1)

   :external_path ("/mnt/MyLocalBackupFolder")

   :expired_in_days (5)

To manually test the backup:

1. Run this command: scrub backup_expired_mail <days for expired entries> <external_path>

   In days for expired entries enter "0".