Getting Started with Custom Threat Prevention

You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.

1. Enable Custom Threat Prevention Software Blades in the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

   Enabling the IPS Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, select IPS.
   3	Follow the steps in the wizard that opens.
   4	Click OK.
   5	Click OK in the General Properties window.

   Enabling the Anti-Bot Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, select Anti-Bot. The Anti-Bot and Anti-Virus First Time Activation window opens.
   3	Select an activation mode option: According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and use the Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. settings of the Threat Prevention profile in the Threat Prevention policy. Detect only - Packet are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..
   4	Click OK.

   Enabling the Anti-Virus Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, select Anti-Bot. The Anti-Bot and Anti-Virus First Time Activation window opens.
   3	Select one of the activation mode options: According to the Anti-Bot and Anti-Virus policy: Enable the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. Software Blade and use the Anti-Virus settings of the Threat Prevention profile in the Threat Prevention policy. Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base.
   4	Click OK.

   Enabling the Threat Emulation Software Blade

   When you enable Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., the wizard automatically gives you the option to enable Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX..

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The Gateway Properties window opens.
   2	In the General Properties > Network Security tab, select SandBlast Threat Emulation. The Threat Emulation wizard opens and shows the Emulation Location page.
   3	Select the Emulation Location: ThreatCloud Emulation Service Locally on this Threat Emulation appliance Other Threat Emulation appliances
   4	Click Next. The Activate Threat Extraction window opens, with this checkbox selected: Clean potentially malicious parts from files (Threat Extraction) To activate Threat Extraction, keep this checkbox selected: If you do not want to activate Threat Extraction, clear this checkbox.
   5	Click Next. The Summary page opens. Note - If you selected the Emulation Location as Locally on this Threat Emulation appliance or Other Threat Emulation appliances, and you want to share Threat Emulation information with ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware., select Share attack information with ThreatCloud.
   6	Click Finish to enable Threat Emulation (and if selected, Threat Extraction), and then close the First Time Configuration Wizard.
   7	Click OK. The Gateway Properties window closes.

   Note - When a trial license is installed on the Security Gateway, a green "V" incorrectly appears next to the Threat Emulation Software Blade (in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Gateways & Servers view > right-click the Security Gateway / Cluster object > click Monitor) > the Device and License Information window opens > Device Status > Threat Emulation). To see the correct license status, go to the License Status tab in the Device and License Information window.

   Using Cloud Emulation

   Files are sent to the Check Point ThreatCloud over a secure TLS connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

   Best Practice - For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.

   Enabling the Threat Extraction Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, and select Threat Extraction. Note - In a ClusterXL High Availability environment, do this once for the cluster object.

   Notes: When you enable Threat Extraction, web download scan is automatically enabled. For Threat Extraction to scan e-mail attachments, configure the Security Gateway as a Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA. (MTA) (see Configuring the Security Gateway as a Mail Transfer Agent). For Threat Extraction API support, in the Security Gateway Properties, go to Threat Extraction > Web API > Enable API.

   Enabling the Zero Phishing Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, select Zero Phishing. The Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. First Time Configuration Wizard opens
   3	If HTTPS Inspection is enabled, enter the Fully Qualified Domain Name (FQDN) for the Security Gateway / Cluster, and click Next. If HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. is disabled, this page does not appear. Notes: For In-browser Zero Phishing protection to work, you must have a certificate on the Zero Phishing portal and configure a Fully Qualified Domain Name (FQDN) on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster.. The First Time Configuration Wizard generates a certificate automatically using the HTTPS Inspection certificate. If HTTPS Inspection is not active, the certificate is not required and cannot be generated. The FQDN must be in the DNS records of your DNS server.
   4	The Zero Phishing Software Blade is now active. Notes: If HTTPS Inspection is disabled, we recommend to enable it. For Zero Phishing to work, you must install both the Access Control and the Threat Prevention policies.

   Notes: Make sure that Zero Phishing portal is configured to work on a public IP address. For more information, see sk178769. To ensure that the configuration was applied successfully, visit this page both with HTTP and HTTPS: http://zp-demo.com/verification/zphi_check.html https://zp-demo.com/verification/zphi_check.html If the test is successful, this message appears: In-Browser Zero Phishing feature is working properly

2. Optional: Create your Custom Threat Prevention profiles based on the default Custom Threat Prevention profiles.

   See Threat Prevention Profiles.

3. Optional: Configure advanced Threat Prevention settings:

   • Security Gateway / Cluster object - Settings for Threat Prevention Software Blades and features.

   • Security Policies view > Threat Prevention > Exceptions

   • Security Policies view > Threat Prevention > click Custom Policy > refer to the Custom Policy Tools section

   • Security Policies view > HTTPS Inspection

   • Manage & Settings view > Blades > Threat Prevention > Advanced Settings

   • Security Gateway / each Cluster Member command line - Configuration commands and files (for example, for SSH Deep Inspection)

4. Configure the Custom Threat Prevention policy.

   Procedure

   If the default rule is not enough for your environment, configure the required rules. See Configuring the Threat Prevention Profile and Rules.

   When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any, see Protected Scope) is inspected for all protections according to the Optimized profile (see Profiles Pane). By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.

   Name	Protected Scope	Action	Track	Install On
   Out-of-the-box Threat Prevention policy	*Any	Optimized	Log Packet Capture	*Policy Targets

   Notes: The Optimized profile is installed by default (see Optimized Protection Profile Settings). The Protection/Site column is used only for protection exceptions (see Protection).

   The result of this rule (according to the Optimized profile) is that:

   • When an attack meets the below criteria, the protections are set to Prevent mode

     • Confidence Level - Medium or above

     • Performance Impact - Medium or lower

     • Severity - Medium or above

   • When an attack meets the below criteria, the protections are set to Detect mode

     • Confidence Level - Low

     • Performance Impact - Medium or above

     • Severity - Medium or above

5. Install the Custom Threat Prevention policy.

   Procedure

   The Custom Threat PreventionSoftware Blades have a dedicated Threat Prevention policy.

   You can install this policy separately from the policy installation of the Access Control Software Blades.

   Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

   Step	Instructions
   1	From the Global toolbar, click Install Policy. The Install Policy window opens showing the installation targets (Security Gateways).
   2	Select Threat Prevention.
   3	Select the Install Mode: Install on each selected gateway independently Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways. If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them. Install on all selected gateways, if it fails do not install on gateways of the same version Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
   4	Click OK.