Configuring Threat Emulation on the Security Gateway

Preparing for Local or Remote Emulation

Prepare the network and Threat Emulation appliance for Local or Remote deployment in the internal network.

Step	Instructions
1	Open SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
2	Create the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object for the Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. appliance.
3	If you are running emulation on HTTPS traffic, configure the settings for HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. (see HTTPS Inspection).
4	Make sure that the traffic is sent to the appliance according to the deployment: Local Emulation - The Threat Emulation appliance receives the traffic. The appliance can be configured for traffic the same as a Security Gateway. Remote Emulation - The traffic is routed to the Threat Emulation appliance.

Using Local or Remote Emulation

This section is for deployments that use a Threat Emulation appliance and run emulation in the internal network.

Note - Prepare the network for the Threat Emulation appliance before you run the First Time Configuration Wizard (see The Threat Emulation Solution).

To enable a Threat Emulation appliance for Local emulation

Step	Instructions
1	In SmartConsole, go to Gateways & Servers and double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the Threat Prevention tab, select SandBlast Threat Emulation. The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
3	Select Locally on a Threat Prevention device. shouldn't it be-locally on this appliance?
4	Click Next. The Summary page opens.
5	Click Finish to enable Threat Emulation on the Threat Emulation appliance and close the First Time Configuration Wizard.
6	Click OK. The Gateway Properties window closes.
7	For Local emulation, install the Threat Prevention policy on the Threat Emulation appliance.

To enable Threat Emulation on Security Gateway for Remote emulation

Step	Instructions
1	In SmartConsole, go to Gateways & Servers and double-click the Security Gateway object. The Gateway Properties window opens.
2	From the Threat Prevention tab, select SandBlast Threat Emulation. The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.
3	Configure the Security Gateway for Remote Emulation: Select Other Threat Emulation appliances. Click Next. Click the + sign to add emulation appliances (you can select more than one appliance for the emulation).
4	Click Next. The Summary page opens.
5	Click Finish to enable Threat Emulation on the Security Gateway close the First Time Configuration Wizard.
6	Click OK. The Gateway Properties window closes.
7	Install the Threat Prevention policy on the Security Gateway and the Threat Emulation appliance.

Changing the Analysis Location

When you run the Threat Emulation First Time Configuration Wizard, you select the location of the emulation analysis. You can use the Threat Emulation window in Gateway Properties to change the location.

Note - The Threat Prevention policy defines the analysis location that is used for emulation (see Emulation Environment).

To change the location of the emulation analysis

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation. The Threat Emulation page opens.
3	From the Analysis Location section, select the emulation location According to the gateway - According to the gateway configuration. Specify: Check Point ThreatCloud - Files are sent to the Check Point ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. for emulation. Local Gateway - This Security Gateway does the emulation. This option is not supported for R80.40. Remote Emulation Appliances - Remote appliances do the emulation. You can select one or more appliances on which the emulation is performed.
4	Optional Select Emulate files on ThreatCloud if not supported locally. If files are not supported on the Threat Emulation appliance and they are supported in the ThreatCloud, they are sent to the ThreatCloud for emulation. No additional license is necessary for these files.
5	Click OK.
6	Install the policy on the Threat Emulation appliance.

Setting the Activation Mode

You can change the Threat Emulation protection Activation Mode of the Security Gateway or Threat Emulation appliance. The emulation can use the Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. action that is defined in the Threat Prevention policy or only Detect UserCheck rule action that allows traffic and files to enter the internal network and logs them. and log malware.

To configure the activation mode

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation. The Threat Emulation page opens.
3	From the Activation Mode section, select one of these options: According to policy Detect only
4	Click OK, and then install the policy.

Optimizing System Resources

The Resource Allocation settings are only for deployments that use a Threat Emulation appliance. Threat Emulation uses system resources for emulation to identify malware and suspicious behavior. You can use the Resource Allocation settings to configure how much of the Threat Emulation appliance resources are used for emulation. When you change these settings, it can affect the network and emulation performance.

You can configure the settings for these system resources:

Minimum available hard disk space (If no emulation is done on a file, the Threat Prevention Fail Mode settings determine if the file is allowed or blocked (see Fail Mode).
Maximum available RAM that can be used for Virtual Machines.

If you plan to change the available RAM, these are the recommended settings:

If the appliance is only used for Threat Emulation, increase the available RAM.
If the appliance is also used for other Software Blades, decrease the available RAM.

To optimize the system resources for the Threat Emulation appliance

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation > Advanced. The Advanced page opens.
3	Stopping the emulation is determined when the Log storage mechanism automatically deletes log files. Therefore, in order to change the relevant configured value (Note - It also affects the Log's files deletion). Navigate to Logs > Local Storage >. And from When disk space is below `<value>` Start deleting old files, you can change the `<value>`.
4	To configure the maximum amount of RAM that is available for emulation, select Limit memory allocation. The default value is 70% of the total RAM on the appliance.
5	Optional: To change the amount of available RAM Click Configure. The Memory Allocation Configuration window opens. Enter the value for the memory limit: % of total memory - Percentage of the total RAM that Threat Emulation can use. Valid values are between 20 - 90%. MB - Total MB of RAM that Threat Emulation can use. Valid values are between 512MB - 1000GB. Click OK.
6	From When limit is exceeded traffic is accepted with track Select the action if a file is not sent for emulation: None - No action is done Log - The action is logged Alert - An alert is sent to SmartView Monitor
7	Click OK, and then install the policy.

Managing Images for Emulation

You can define the operating system images that Threat Emulation uses, for each appliance, and for each Threat Emulation profile. If different images are defined for a profile and for an appliance, Threat Emulation will use the images that are selected in both places. An image that is selected only for the appliance or for the profile will not be used for emulation.

To manage the images that the appliance uses for emulation

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation > Advanced. The Advanced page opens.
3	From the Image Management section, select the applicable option for your network: Use all the images that are assigned in the policy - The images that are configured in the Emulation Environment window are used for emulation. Use specific images - Select one of more images that the Security Gateway can use for emulation.
4	Click OK, and then install the policy.