Threat Prevention Engine Settings
This section explains how to configure advanced Threat Prevention settings that are in the Engine Settings window, including: inspection engines, the Check Point Online Web Service (ThreatCloud
The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. repository), internal email whitelist, file type support for Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and more.
To get to the Engine Settings window, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings.
The Threat Prevention Engine Settings window opens.
Fail Mode
Select the behavior of the ThreatSpect engine if it is overloaded or fails during inspection. For example, if the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. inspection is terminated in the middle because of an internal failure. By default, in such a situation all traffic is allowed.
-
Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
-
Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.
Check Point Online Web Service
The Check Point Online Web Service is used by the ThreatSpect engine for updated resource categorization. The responses the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. gets are cached locally to optimize performance.
-
Block connections when the web service is unavailable
-
When selected, connections are blocked when there is no connectivity to the Check Point Online Web Service.
-
When cleared, connections are allowed when there is no connectivity (default).
-
-
Resource categorization mode
-
Background - connections are allowed until categorization is complete - When a connection cannot be categorized with a cached response, an uncategorized response is received. The connection is allowed, and in the background, the Check Point Online Web Service continues the categorization procedure. After the classification is complete, a "Detect
UserCheck rule action that allows traffic and files to enter the internal network and logs them." log is generated. The log includes this description: "Connection was allowed because background classification mode was set". The response is cached locally for future requests (default).
This option reduces latency in the categorization process. -
Hold - connections are blocked until categorization is complete - When a connection cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.
-
Custom - configure different settings depending on the service - Lets you set different modes for Anti-Bot
Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.. For example, click Customize to set Anti-Bot to Hold mode and Anti-Virus to Background mode.
If you change Background mode to Hold mode, the Security Gateway holds the file and does not send it to the client browser. The Browser shows the file as still being downloaded, but the download is stuck at some point. The Security Gateway continues the download only after the scan is complete or if a timeout occurred at the Security Gateway. If the file is malicious, the Security Gateway stops sending the file.
Note - If the "Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message." action is used in the Threat Prevention policy, then a file that Threat Emulation identified as malware in the past, is blocked. The file will not be sent to the destination even in the "Background" mode. -
Connection Unification
Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or a site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log. For connections that are allowed or blocked in the Anti-Bot, Threat Emulation, and Anti-Virus Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., the default session is 10 hours (600 minutes).
To adjust the length of a session
|
Step |
Instructions |
|---|---|
|
1 |
Go to Manage & Settings > Blades > Threat Prevention > Advanced Settings > General > Connection Unification > Session unification timeout (minutes). |
|
2 |
Enter the required value. |
|
3 |
Click OK. |
Configuring Anti-Bot Whitelist
The Suspicious Mail engine scans outgoing emails. You can create a list of email addresses or domains whose internal emails are not inspected by Anti-Bot.
To add an email address or domain whose internal emails are not scanned by Anti-Bot
|
Step |
Instructions |
|---|---|
|
1 |
Go to the Manage & Settings > Blades > Threat Prevention > Advanced Settings > Anti-Bot. |
|
2 |
Click the + sign. |
In this window, you can also edit or remove the entries in the list.
Selecting Emulation File Types
You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an Inspect or Bypass action for the file types.
To select Threat Emulation file types that are supported in Threat Prevention profiles
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole |
|
2 |
From the Threat Prevention section, click Advanced Settings. The Threat Prevention Engine Settings window opens. |
|
3 |
From the Threat Emulation Settings section, click Configure file type support. The File Types Support window opens. |
|
4 |
Select the file types that are sent for emulation. By default |
|
5 |
Click OK and close the Threat Prevention Engine Settings window. |
|
6 |
Install the Threat Prevention policy. |
Configuring Advanced Engine Settings for Threat Extraction
Advanced engine settings let you configure file type support and mail signatures for the Threat Extraction blade
To configure file type support
|
Step |
Instructions |
|---|---|
|
1 |
Click the Manage & Settings view > Blades > Threat Prevention > Advanced Settings. The Threat Prevention Engine Settings window opens. |
|
2 |
In Threat Extraction, click Configure File Type Support. The Threat Extraction Supported File Types window opens. |
|
3 |
From the list select the file types which the Threat Extraction blade supports. |
|
4 |
Click OK. |
To configure mail signatures
|
Step |
Instructions |
|
|---|---|---|
|
1 |
In the Threat Prevention Engine Settings window > Threat Extraction, click Configure Mail Signatures. The Threat Extraction Mail Signatures window opens.
Use this window to configure text for:
You can click the Insert Field button to inset a reference ID into the signature text. Use this ID to send the recipient the file. You can also find the ID in the logs. On the gateway, run the command:
|
|
|
2 |
Click OK. |