Threat Prevention Scheduled Updates

Introduction to Scheduled Updates

Check Point wants the customer to be protected. When a protection update is available, Check Point wants the configuration to be automatically enforced on the gateway. You can configure automatic gateway updates for the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). blades.

For the Anti-Virus, Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. and Threat Emulation, the gateways download the updates directly from the Check Point cloud.

For the IPS blade, prior to R80.20, the updates were downloaded to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., and only after you installed policy, the gateways could enforce the updates. Starting from R80.20, the gateways can directly download the updates. For R80.20 gateways and higher with no internet connectivity, you must still install policy to enforce the updates.

When you configure automatic IPS updates on the gateway, the action for the newly downloaded protections is by default according to the profile settings.

IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default. Threat Emulation engine updates are performed daily at 05:00 by default, and Threat Emulation image updates are performed daily at 04:00 by default.

You can see the list of Anti-Bot and Anti-Virus protections in Custom Policy Tools > Protections, and the list of IPS protections in Custom Policy Tools > IPS Protections. The update date appears next to each protection.

Configuring Threat Prevention Scheduled Updates

To configure Threat Prevention scheduled updates

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention > Custom Policy.
2	At the bottom section, go to Custom Policy Tools > Updates.
3	In the section for the applicable Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., click Schedule Update. The Scheduled Updates window opens.
4	Make sure Enable <blade> scheduled updates is selected.
5	For IPS, there are 2 more configuration options for scheduling Security Management Server updates On successful IPS update on the Security Management Server, install policy on the Security Gateway - automatically installs the policy on the devices you select after the IPS update is completed. Click Configure to select these devices. Note - In pre-R80 gateways, IPS was part of the Access Control policy. Therefore, when you select this option, a message shows which indicates that for pre-R80 gateways, the Access Control policy is installed and for R80 and above gateways, the Threat Prevention policy is installed. Perform retries on the Security Management Server when the update fails - lets you configure the number of tries the scheduled update makes if it does not complete successfully the first time.
6	Click Configure.
7	In the window that opens, set the Time of event Update every: set the update frequency by hours OR - Update at: set the update frequency by days: Daily - Every day Days in week - Select days of the week Days in month - Select dates of the month
8	Click OK.
9	Click Close.
10	Install the Threat Prevention policy.

Checking Update Status

In Custom Policy Tools > Update, a message shows which indicates the number of gateways which are up-to-date.

To check if the protections are update on a specific gateway

Step	Instructions
1	In the Gateways & Servers view, select a gateway.
2	Click the Monitor button. The Device & License Information window opens.
3	The Device Status page shows the gateway status.

Step

Instructions

In the Gateways & Servers view, select a gateway.

Click the Monitor button.

The Device & License Information window opens.

The Device Status page shows the gateway status.

Turning Off IPS Automatic Updates on a Gateway

You can turn off automatic IPS updates on a specific gateway.

To turn off automatic IPS updates on a specific gateway

Step	Instructions
1	In SmartConsole, to the Gateways & Servers view, and double-click a gateway. The gateway properties window opens.
2	In the navigation tree, go to the IPS page.
3	In IPS Update Policy, select Use IPS management updates.
4	Click OK.
5	Install the Threat Prevention Policy.

IPS Updates Use Cases

These scenarios explain how an upgrade of the Security Gateways or the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or both, affects the Scheduled Updates configuration.