Out-of-the-Box Protection from Threats

Getting Quickly Up and Running with the Threat Prevention Policy

You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.

After you enable the blades and install the policy, this ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is generated:

Name

Protected Scope

Action

Track

Install On

Out-of-the-box Threat Prevention policy

*Any

Optimized

Log

Packet Capture

*Policy Targets

Enabling the Threat Prevention Software Blades

Enabling the IPS Software Blade

Enabling the Anti-Bot Software Blade

Enabling the Anti-Virus Software Blade

Enabling SandBlast Threat Emulation Software Blade

Using Cloud Emulation

Files are sent to the Check Point ThreatCloud over a secure TLS connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

Enabling the SandBlast Threat Extraction Blade

Configuring LDAP

If you use LDAP for user authentication, you must activate User DirectoryClosed Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. for Security Gateways.

Installing the Threat Prevention Policy

The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

Disabling the Threat Prevention Blades

When you disable all the Threat Prevention Software Blades in a Security Gateway object, you must click the "Install Policy" button and then click the "Uninstall Threat Prevention Policy" link.

Predefined Rule

When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any, see Protected Scope) is inspected for all protections according to the Optimized profile. (see Profiles Pane). By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.

The result of this rule (according to the Optimized profile) is that:

Use the Logs & Monitor page to show logs related to Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.

You can add more exceptions that prevent or detect specified protections or have different tracking settings.