Configuring the Threat Prevention Software Blades for Monitor Mode

Configure the settings below, if you enabled one of the Threat Prevention Software Blades (IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)., Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. or Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.) on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. in Monitor Mode:

Step

Instructions

1

Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Security Gateway.

2

From the left navigation panel, click Security Policies > Threat Prevention.

3

Create the Threat Prevention ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that accepts all traffic:

Protected Scope

Protection/Site/File/Blade

Action

Track

*Any

-- N/A

Applicable Threat Prevention Profile

Log

Packet Capture

Notes:

  • We recommend the Optimized profile.

  • The Track setting Packet Capture is optional.

4

Right-click the selected Threat Prevention profile and click Edit.

5

From the left tree, click the General Policy page and configure:

  1. In the Blades Activation section, select the applicable Software Blades.

  2. In the Activation Mode section:

    • In the High Confidence field, select Detect.

    • In the Medium Confidence field, select Detect.

    • In the Low Confidence field, select Detect.

6

From the left tree, click the Anti-Virus page and configure:

  1. In the Protected Scope section, select Inspect incoming and outgoing files.

  2. In the File Types section:

    • Select Process all file types.

    • Optional: Select Enable deep inspection scanning (impacts performance).

  3. Optional: In the Archives section, select Enable Archive scanning (impacts performance).

7

From the left tree, click the Threat Emulation page > click General and configure:

  • In the Protected Scope section, select Inspect incoming files from the following interfaces and from the menu, select All.

8

Configure other applicable settings for the Software Blades.

9

Click OK.

10

Install the Threat Prevention Policy on the Security Gateway object.

For more information:

See the R81.20 Threat Prevention Administration Guide.