Out-of-the-Box Protection from Threats

Getting Quickly Up and Running with the Threat Prevention Policy

You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.

Quickly getting up and running with Threat Prevention

Step	Instructions
1	Enable the Threat Prevention blades on the gateway.
2	Install Policy.

After you enable the blades and install the policy, this rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is generated:

Name	Protected Scope	Action	Track	Install On
Out-of-the-box Threat Prevention policy	`*Any`	Optimized	`Log` `Packet Capture`	`*Policy Targets`

Name

Protected Scope

Action

Track

Install On

Out-of-the-box Threat Prevention policy

*Any

Optimized

Log

Packet Capture

*Policy Targets

Enabling the Threat Prevention Software Blades

Enabling the IPS Software Blade

Step	Instructions
1	In the Gateways & Servers view, double-click the gateway object. The General Properties window opens.
2	In the General Properties > Network Security tab, click IPS.
3	Follow the steps in the wizard that opens.
4	Click OK.
5	Click OK in the General Properties window.
6	Click Install Policy (see Installing the Threat Prevention Policy).

Enabling the Anti-Bot Software Blade

Step	Instructions
1	In the Gateways & Servers view, double-click the gateway object. The General Properties window of the gateway opens.
2	From the Network Security tab, select Anti-Bot. The Anti-Bot and Anti-Virus First Time Activation window opens.
3	Select an activation mode option: According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and use the Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. settings of the Threat Prevention profile in the Threat Prevention policy. Detect only - Packet are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..
4	Click OK.
5	Click Install Policy, (see Installing the Threat Prevention Policy).

Enabling the Anti-Virus Software Blade

Step	Instructions
1	In the Gateways & Servers view, double-click the gateway object. The General Properties window of the gateway opens.
2	From the Network Security tab, click Anti-Bot. The Anti-Bot and Anti-Virus First Time Activation window opens.
3	Select one of the activation mode options: According to the Anti-Bot and Anti-Virus policy: Enable the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. Software Blade and use the Anti-Virus settings of the Threat Prevention profile in the Threat Prevention policy. Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
4	Click OK.
5	Click Install Policy, (see Installing the Threat Prevention Policy).

Enabling SandBlast Threat Emulation

When you enable Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., the wizard automatically gives you the option to enable Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX..

Procedure

Step

Instructions

In the Gateways & Servers view, double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

The Gateway Properties window opens.

From the Network Security tab, select SandBlast Threat Emulation.

The Threat Emulation wizard opens and shows the Emulation Location page.

Select the Emulation Location:

ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. Emulation Service
Locally on this Threat Emulation appliance
Other Threat Emulation appliances

Click Next.

The Activate Threat Extraction window opens, with this checkbox selected:

Clean potentially malicious parts from files (Threat Extraction

To activate Threat Extraction, keep this checkbox selected:

If you do not to activate Threat Extraction, clear this checkbox.

Click Next.

The Summary page opens.

Note - If you selected the Emulation Location as Locally on this Threat Emulation appliance or Other Threat Emulation appliances, and you want to share Threat Emulation information with ThreatCloud, select Share attack information with ThreatCloud.

Click Finish to enable Threat Emulation (and if selected, Threat Extraction), and then close the First Time Configuration Wizard.

Click OK.

The Gateway Properties window closes.

Click Install Policy (see Installing the Threat Prevention Policy).

Note - When a trial license is installed on the Security Gateway, a green "V" incorrectly appears next to the Threat EmulationSoftware Blade (in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Gateways & Servers view > right-click the Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object > click Monitor) > the Device and License Information window opens > Device Status > Threat Emulation).

To see the correct license status, go to the License Status tab in the Device and License Information window

Using Cloud Emulation

Files are sent to the Check Point ThreatCloud over a secure TLS connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

Best Practice

For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.

Enabling SandBlast Threat Extraction

procedure

Step

Instructions

In the Gateways & Servers view, double-click the gateway object.

The General Properties window of the gateway opens.

Go to the Network Security tab, and select Threat Extraction.

Note - In a ClusterXL High Availability environment, do this once for the cluster object.

Notes -

When you enable Threat Extraction, web download scan is automatically enabled.
For Threat Extraction to scan e-mail attachments, configure the Security Gateway as a Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA. (MTA) (see Configuring the Security Gateway as a Mail Transfer Agent).
For Threat Extraction API support, in the Security Gateway Properties, go to Threat Extraction > Web API > Enable API.

Configuring LDAP

If you use LDAP for user authentication, you must activate User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. for Security Gateways.

Procedure

Step	Instructions
1	Open SmartConsole > Global Properties.
2	On the User Directory page, select Use User Directory for Security Gateways.
3	Click OK.

Installing the Threat Prevention Policy

The IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)., Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

Procedure

Step	Instructions
1	From the Global toolbar, click Install Policy. The Install Policy window opens showing the installation targets (Security Gateways).
2	Select Threat Prevention.
3	Select Install Mode: Install on each selected gateway independently Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways. If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them. Install on all selected gateways, if it fails do not install on gateways of the same version Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
4	Click OK.

Disabling the Threat Prevention Blades

When you disable all the Threat Prevention Software Blades in a Security Gateway object, you must click the "Install Policy" button and then click the "Uninstall Threat Prevention Policy" link.

Predefined Rule

When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any, see Protected Scope) is inspected for all protections according to the Optimized profile. (see Profiles Pane). By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.

The result of this rule (according to the Optimized profile) is that:

When an attack meets the below criteria, the protections are set to Prevent mode
- Confidence Level - Medium or above
- Performance Impact - Medium or above
- Severity - Medium or above
When an attack meets the below criteria, the protections are set to Detect mode
- Confidence Level - Low
- Performance Impact - Medium or above
- Severity - Medium or above

Use the Logs & Monitor page to show logs related to Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.

You can add more exceptions that prevent or detect specified protections or have different tracking settings.