Configuring Anti-Bot Settings

Here you can configure the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. UserCheck Settings:

Prevent - Select the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that opens for a Prevent action
Ask - Select the UserCheck message that opens for an Ask action

Blocking Bots

To block bots in your organization, install this default Threat Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that uses the Optimized profile, or create a new rule.

Protected Scope	Action	Track	Install On
*Any	Optimized	Log Packet Capture	*Policy Targets

Protected Scope

Action

Track

Install On

*Any

Optimized

Log

Packet Capture

*Policy Targets

To block bots in your organization

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers.
2	Enable the Anti-Bot Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on the Gateways that protect your organization. For each Gateway Double-click the Gateway object. In the Gateway Properties page, select the Anti-Bot Software Blade. The First Time Activation window opens. Select According to the Anti-Bot and Anti-Virus policy. Click OK.
3	Click Security Policies > Threat Prevention > Custom Policy. You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile. Alternatively, add a new Threat Prevention rule Click Add Rule. A new rule is added to the Threat Prevention Custom Policy. The Software Blade applies the first rule that matches the traffic. Make a rule that includes these components. Name - Give the rule a name such as Block Bot Activity. Protected Scope -The list of network objects you want to protect. By default, the Any network object is used. Action - The Profile that contains the protection settings you want (see Profiles Pane). The default profile is Optimized. Track - The type of log you want to get when the gateway detects malware on this scope. Install On - Keep it as Policy Targets or select Gateways, on which to install the rule.
4	Install the Threat Prevention Policy. The IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)., Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions., Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways. To install the Threat Prevention policy From the Global toolbar, click Install Policy. The Install Policy window opens showing the installation targets (Security Gateways). Select Threat Prevention. Select Install Mode: Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. does not affect policy installation on other gateways. If the gateway is a member of a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., install the policy on all the members. The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them. Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version. Click OK.

Note - From R81.20 Jumbo Hotfix Accumulator Take 70, there is an enhanced protection against zero-day attacks. It detects and blocks advanced malware variants by automatically analyzing and identifying communication patterns. The feature is disabled by default. To enable it, refer to Malware Prevention Using IP and Port Indicators.

Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy.

Name	Protected Scope	Action	Track	Install On
Monitor Bot activity	`*Any`	A profile that has these changes relative to the Optimized profile: Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect.	`Log`	`*Policy Targets`

Name

Protected Scope

Action

Track

Install On

Monitor Bot activity

*Any

A profile that has these changes relative to the Optimized profile:

Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect.

Log

*Policy Targets

To monitor all bot activity

Step	Instructions
1	In SmartConsole, select Security Policies > Threat Prevention.
2	Create a new profile From the Custom Policy Tools section, click Profiles. The Profiles page opens. Right-click a profile and select Clone. Give the profile a name such as Monitoring_Profile. Edit the profile, and under Activation Mode, configure all confidence level settings to Detect. Select the Performance Impact - for example, Medium or lower. This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.
3	Create a new rule Go to Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Threat Prevention > Custom Policy. Add a rule to the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. The first rule that matches is applied. Make a rule that includes these components. Name - Give the rule a name such as Monitor Bot Activity. Protected Scope -The list of network objects you want to protect. By default, the Any network object is used. Action - The Profile that contains the protection settings you want (see Profiles Pane). The default profile is Optimized. Track - The type of log you want to get when the gateway detects malware on this scope. Install On - Keep it as Policy Targets or select Gateways, on which to install the rule.
4	Install the Threat Prevention Policy. The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways. To install the Threat Prevention policy From the Global toolbar, click Install Policy. The Install Policy window opens showing the installation targets (Security Gateways). Select Threat Prevention. Select Install Mode: Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways. If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them. Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version. Click OK.