Threat Prevention Scheduled Updates - Autonomous Threat Prevention
Introduction to Scheduled UpdatesCheck Point wants the customer to be protected. When a protection update is available, Check Point wants the configuration to be automatically enforced on the gateway. You can configure automatic gateway updates for Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)..
For Anti-Virus, Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. and Threat Emulation, the gateways download the updates directly from the Check Point cloud.
For IPS, prior to R80.20, the updates were downloaded to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., and only after you installed policy, the gateways could enforce the updates. Starting from R80.20, the gateways can directly download the updates. For R80.20 gateways and higher with no internet connectivity, you must still install policy to enforce the updates.
When you configure automatic IPS updates on the gateway, the action for the newly downloaded protections is by default according to the profile settings.
IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default. Threat Emulation engine updates are performed daily at 05:00 by default, and Threat Emulation image updates are performed daily at 04:00 by default.
Configuring Threat Prevention Scheduled Updates
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention > Autonomous Policy > Autonomous Policy Tools
Go to Updates.
Go to the section about the required Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., click Schedule Update.
The Scheduled Updates window opens.
Make sure Enable <blade> scheduled updates is selected.
For IPS, there are 2 more configuration options for scheduling Security Management Server updates
In the window that opens, set the Time of event
Install the Threat Prevention policy.
Checking Update Status
In Autonomous Policy Tools > Updates, a message shows which indicates the number of gateways which are up-to-date.
In the Gateways & Servers view, select a gateway.
Right-click the gateway, and select the Monitor button.
The Device & License Information window opens.
The Device Status page shows the gateway status.
Turning Off IPS Automatic Updates on a Gateway
You can turn off automatic IPS updates on a specific gateway.
In SmartConsole, to the Gateways & Servers view, and double-click a gateway.
The gateway properties window opens.
In the navigation tree, go to IPS.
In IPS Update Policy, select Use IPS management updates.
Install the Threat Prevention Policy.
IPS Updates Use Cases
These scenarios explain how an upgrade of the Security Gateways or the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or both, affects the Scheduled Updates configuration.
Upgrading the Security Management Server to R80.20, and not upgrading the gateways to R80.20
If you do not upgrade the Security Gateways, then after the upgrade, the Security Gateways are still not able to receive the updates independently, only through the Security Management Server. In this case, the configuration stays the same compared to before the upgrade: Scheduled Updates will be enabled or disabled on the Security Management Server, depending on the configuration before the upgrade.
Upgrading the Security Gateways to R80.20 (with or without Security Management Server upgrade)
If, before the upgrade, Scheduled Updates were configured on the Security Management Server with automatic policy installation, then after the upgrade, automatic IPS updates are still enabled on the Security Management Server, and are also applied to the upgraded gateways.
If Scheduled Updates were disabled on the Security Management Server before the upgrade, then they remain disabled after the upgrade, both on the Security Management Server and the gateways.
If, before the upgrade, Scheduled Updates were configured on the Security Management Server without automatic policy installation - then during the first policy installation after upgrade, a message shows which indicates that Security Gateways R80.20 and higher automatically update the IPS Protections. For Security Gateways R80.10 and lower, you must install policy to apply the updates.