Configuring Threat Extraction on the Security Gateway
|
Note - For offline Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. Engine Release Updates, refer to sk165832. |
Step |
Instructions |
---|---|
1 |
Enable the Threat Extraction Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.:
|
2 |
In the Gateways & Servers view, double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object and click the Threat Extraction page. |
3 |
Make sure the Activation Mode is set to Active. |
4 |
In the Resource Allocation section, configure the resource settings. |
5 |
Click OK. |
6 |
Install the Access Control Policy. |
In addition to configuring Threat Extraction on the gateway:
-
For Threat Extraction to scan e-mail attachments, enable the gateway as a Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA. (MTA) (see Enabling MTA on the Security Gateway).
-
For Threat Extraction to scan web downloads, in SmartConsole
Step
Instructions
1
Go to the Security Policies view > Threat Prevention > Custom Policy Tools > Profiles.
2
Double-click a profile > Threat Extraction > General > Protocol.
3
Select Web (HTTP/HTTPS).
-
For Threat Extraction API support, in the gateway editor, go to Threat Extraction > Web API > Enable API.
Threat Extraction and Endpoint Security
When both the Threat Extraction blade and the SandBlast Agent for Browsers are activated on the network Security Gateway, a special configuration is required. Without this configuration, when you download a file, it can be cleaned twice, both by the Threat Extraction blade and by the SandBlast Agent.
To prevent this, the Security Gateway adds a digital signature to all the files cleaned by the Threat Extraction blade. When the SandBlast Agent intercepts a downloaded file. If the digital signature is verified successfully, the SandBlast Agent does not send the file for cleaning, so the file is not cleaned twice.
For details on how to configure the digital signature on the Security Gateway and how to configure the Endpoint management, see sk142732.
Configuring Threat Extraction in a Cluster
The Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configuration is similar to gateway configuration, except for specific instructions that are only relevant to cluster.
Step |
Instructions |
---|---|
1 |
In the Gateways & Servers view, right-click the cluster and click edit. |
2 |
Open the ClusterXL and VRRP page. |
3 |
Select High Availability. |
-
Load Sharing is not supported.
-
The original files are synchronized between the two members of the cluster, so in case of failure, there is still access to the original files.
Threat Extraction Statistics
Step |
Instructions |
---|---|
1 |
Open the command line interface of the gateway with the Threat Extraction enabled. |
2 |
Run these commands:
|
Using the Gateway CLI
-
Control debug messages
-
Get information on queues
-
Send the initial email attachments to recipients
-
Download updates automatically from the ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware.
Step |
Instructions |
---|---|
1 |
Connect to the command line on the Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
Run: |
Option |
Description |
---|---|
|
Controls debug messages |
|
Shows information on Threat Extraction queues. This command helps you understand the queue status and load on the mail transfer agent (MTA) and the
|
|
Sends original email to recipients. To send the original email get:
|
|
Bypasses all files. Use this command to debug issues with the |
|
Shows and resets counters |
|
Manages updates from the download center |
|
Sends original file by email |
|
Shows and resets cache |
|
Backs up expired mails to external storage |
Storage of Original Files
The Threat Extraction blade reconstructs files (cleans or converts files to PDF) to eliminate potentially malicious content. After the Threat Extraction blade reconstructs the files, the original files are saved on the gateway for a default period.
Mail attachments
Mail attachments are saved for a default period of 14 days.
Step |
Instructions |
---|---|
1 |
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the gateway editor > Threat Extraction > Resource Allocation > Delete stored original files older than x Days. |
2 |
Change the number of days as required. The maximum is 45 days. |
To save the files for a longer period, you must back them up to external storage, (see Backup to External Storage).
Web downloads
Web downloads are saved for a default period of 2 days.
Step |
Instructions |
---|---|
1 |
Edit the |
2 |
Search for |
To save the files for a longer period, you must back them up to external storage, (see Backup to External Storage).
Backup to External Storage
When you run out of disk space, you can back e-mail attachments or web downloads to external storage.
Notes:
-
In a cluster, both members must have the same configuration.
-
End-users cannot access files in external storage, only the administrator can access these files.
Step |
Instructions |
---|---|
1 |
Create the backup folder. Run: |
2 |
Mount the backup folder to the remote folder. Run: Example:
Best Practice - To preserve the mount configuration after reboot, configure a Scheduled Job to the applicable "mount" command "At startup" (in the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. portal, go to System Management > Job Scheduler). |
3 |
Edit
Example
:external_storage ( :enabled (1) :external_path ("/mnt/MyLocalBackupFolder") :expired_in_days (5) |
Run this command:
scrub backup_expired_mail <days for expired entries> <external_path>
|
In days for expired entries
enter "0".