Configuring Threat Extraction on the Security Gateway

Note - For offline Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. Engine Release Updates, refer to sk165832.

Step

Instructions

1

Enable the Threat Extraction Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.:

  1. On the General Properties > Network Security tab, select Threat Extraction.

    The Threat Extraction First Time Activation Wizard opens.

  2. Optional:

    If you want Threat Extraction to scan email attachments, you must enable the MTA and configure the Domain and Next Hop.

    If you do not want Threat Extraction to scan email attachments, click Skip this configuration now.

  3. Click Next.

  4. Click Finish.

2

In the Gateways & Servers view, double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object and click the Threat Extraction page.

3

Make sure the Activation Mode is set to Active.

4

In the Resource Allocation section, configure the resource settings.

5

Click OK.

6

Install the Access Control Policy.

In addition to configuring Threat Extraction on the gateway:

Threat Extraction and Endpoint Security

When both the Threat Extraction blade and the SandBlast Agent for Browsers are activated on the network Security Gateway, a special configuration is required. Without this configuration, when you download a file, it can be cleaned twice, both by the Threat Extraction blade and by the SandBlast Agent.

To prevent this, the Security Gateway adds a digital signature to all the files cleaned by the Threat Extraction blade. When the SandBlast Agent intercepts a downloaded file. If the digital signature is verified successfully, the SandBlast Agent does not send the file for cleaning, so the file is not cleaned twice.

For details on how to configure the digital signature on the Security Gateway and how to configure the Endpoint management, see sk142732.

Configuring Threat Extraction in a Cluster

The ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configuration is similar to gateway configuration, except for specific instructions that are only relevant to cluster.

Step

Instructions

1

In the Gateways & Servers view, right-click the cluster and click edit.

2

Open the ClusterXL and VRRP page.

3

Select High Availability.

  • Load Sharing is not supported.

  • The original files are synchronized between the two members of the cluster, so in case of failure, there is still access to the original files.

Threat Extraction Statistics

Step

Instructions

1

Open the command line interface of the gateway with the Threat Extraction enabled.

2

Run these commands:

  • cpview

  • cpstat scrub -f threat_extraction_statistics

Using the Gateway CLI

Step

Instructions

1

Connect to the command line on the Security Gateway.

2

Log in to the Expert mode.

3

Run: scrub

Option

Description

debug

Controls debug messages

queues

Shows information on Threat Extraction queues. This command helps you understand the queue status and load on the mail transfer agent (MTA) and the scrubd daemon. The command shows:

  • Number of pending requests from the MTA to the scrubd daemon

  • Maximum number pending requests from the MTA to the scrubd daemon

  • Current number of pending requests from scrubd to scrub_cp_file_convert

  • Maximum number of pending requests from scrubd to scrub_cp_file_convert

send_orig_email

Sends original email to recipients. To send the original email get:

  • The reference number - Click on link in the email received by the user.

  • The email ID - Found in the Logs & Monitor logs or debug logs.

bypass

Bypasses all files. Use this command to debug issues with the scrub (Threat Extraction) daemon. When you set bypass to active, requests from the mail transfer agent (MTA) to the scrub daemon are not handled. Threat Extraction is suspended. No files are cleaned.

counters

Shows and resets counters

update

Manages updates from the download center

send_orig_file

Sends original file by email

cache

Shows and resets cache

backup_expired_mail

Backs up expired mails to external storage

Storage of Original Files

The Threat Extraction blade reconstructs files (cleans or converts files to PDF) to eliminate potentially malicious content. After the Threat Extraction blade reconstructs the files, the original files are saved on the gateway for a default period.

Mail attachments

Mail attachments are saved for a default period of 14 days.

Step

Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the gateway editor > Threat Extraction > Resource Allocation > Delete stored original files older than x Days.

2

Change the number of days as required. The maximum is 45 days.

To save the files for a longer period, you must back them up to external storage, (see Backup to External Storage).

Web downloads

Web downloads are saved for a default period of 2 days.

Step

Instructions

1

Edit the $FWDIR/conf/scrub_debug.conf file.

2

Search for http_keep_original_duration and change the value as required. Value can be between 2 and 45 days.

To save the files for a longer period, you must back them up to external storage, (see Backup to External Storage).

Backup to External Storage

When you run out of disk space, you can back e-mail attachments or web downloads to external storage.

Notes:

  • In a cluster, both members must have the same configuration.

  • End-users cannot access files in external storage, only the administrator can access these files.

Step

Instructions

1

Create the backup folder.

Run: mkdir /mnt/<local_backup_folder>

2

Mount the backup folder to the remote folder.

Run: mount -t cifs <remote_folder> /mnt/<local_backup_folder>

mount -t cifs //MyServer/MyBackupFolder /mnt/MyLocalBackupFolder

To preserve the mount configuration after reboot, configure a Scheduled Job to the applicable "mount" command "At startup" (in the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. portal, go to System Management > Job Scheduler).

3

Edit $FWDIR/conf/scrub_debug.conf, and search for :external_storage.

  1. Change the enabled value from "0" to "1".

  2. In the external_path parameter, write the full path to the local backup folder:

  3. The expired_in_days parameter sets the backup date. The value you enter for this parameter specifies how many days before expiration the backup is performed.

:external_storage (
    :enabled (1)
    :external_path ("/mnt/MyLocalBackupFolder")
    :expired_in_days (5)

Run this command:

scrub backup_expired_mail <days for expired entries> <external_path>

In days for expired entries enter "0".