Configuring the Threat Prevention Software Blades for Monitor Mode

Configure the settings below, if you enabled one of the Threat Prevention Software Blades (IPS, Anti-Bot, Anti-Virus, Threat Emulation or Threat Extraction) on the Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. in Monitor Mode:

Step

Instructions

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Group.

2

From the left navigation panel, click Security Policies > Threat Prevention.

3

Create the Threat Prevention rule that accepts all traffic:

Protected Scope

Protection/Site/File/Blade

Action

Track

*Any

-- N/A

Applicable Threat Prevention Profile

Log

Packet Capture

Notes:

  • We recommend the Optimized profile.

  • The Track setting Packet Capture is optional.

4

Right-click the selected Threat Prevention profile and click Edit.

5

From the left tree, click the General Policy page and configure:

  1. In the Blades Activation section, select the applicable Software Blades.

  2. In the Activation Mode section:

    • In the High Confidence field, select Detect.

    • In the Medium Confidence field, select Detect.

    • In the Low Confidence field, select Detect.

6

From the left tree, click the Anti-Virus page and configure:

  1. In the Protected Scope section, select Inspect incoming and outgoing files.

  2. In the File Types section:

    • Select Process all file types.

    • Optional: Select Enable deep inspection scanning (impacts performance).

  3. Optional: In the Archives section, select Enable Archive scanning (impacts performance).

7

From the left tree, click the Threat Emulation page > click General and configure:

  • In the Protected Scope section, select Inspect incoming files from the following interfaces and from the menu, select All.

8

Configure other applicable settings for the Software Blades.

9

Click OK.

10

Install the Threat Prevention Policy on the Security Gateway object.

For more information:

See the R81.20 Threat Prevention Administration Guide.