Out-of-the-Box Protection from Threats
Getting Quickly Up and Running with the Threat Prevention Policy
You can configure Threat Prevention to give the exact level of protection that you need, but you can also configure it to provide protection right out of the box.

Step |
Instructions |
---|---|
1 |
Enable the Threat Prevention blades on the gateway. |
2 |
Install Policy. |
After you enable the blades and install the policy, this rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is generated:

-
The Optimized profile is installed by default (see Optimized Protection Profile Settings).
-
The Protection/Site column is used only for protection exceptions (see Protection).
Enabling the Threat Prevention Software Blades
Enabling the IPS Software Blade

To enable the IPS Software Blade:
Step |
Instructions |
---|---|
1 |
In the Gateways & Servers view, double-click the gateway object. The General Properties window opens. |
2 |
In the General Properties > Network Security tab, click IPS |
3 |
Follow the steps in the wizard that opens. |
4 |
Click OK. |
5 |
Click OK in the General Properties window. |
6 |
Click Install Policy (see Installing the Threat Prevention Policy). |
Enabling the Anti-Bot Software Blade

Enabling the Anti-Virus Software Blade

To enable the Anti-Virus Software Blade:
Step |
Instructions |
---|---|
1 |
In the Gateways & Servers view, double-click the gateway object. The General Properties window of the gateway opens. |
2 |
From the Network Security tab, click Anti-Bot. The Anti-Bot and Anti-Virus First Time Activation window opens. |
3 |
Select one of the activation mode options:
|
4 |
Click OK. |
5 |
Click Install Policy, (see Installing the Threat Prevention Policy). |
Enabling SandBlast Threat Emulation Software Blade

Step |
Instructions |
||
---|---|---|---|
1 |
In the Gateways & Servers view, double-click the Security Gateway The Gateway Properties window opens. |
||
2 |
From the Network Security tab, select SandBlast Threat Emulation. The Threat Emulation |
||
3 |
Select the Emulation Location:
|
||
4 |
Click Next. The Summary page opens.
|
||
5 |
Click Finish to enable Threat Emulation, and then close the First Time Configuration Wizard. |
||
6 |
Click OK. The Gateway Properties window closes. |
||
7 |
Click Install Policy (see Installing the Threat Prevention Policy). |
|
Note - When a trial license is installed on the Security Gateway, a green "V" incorrectly appears next to the Threat EmulationSoftware Blade (in SmartConsole To see the correct license status, go to the License Status tab in the Device and License Information window. |
Using Cloud Emulation
Files are sent to the Check Point ThreatCloud over a secure TLS connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.
|
![]() For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties. |
Enabling the SandBlast Threat Extraction Blade

Step |
Instructions |
---|---|
1 |
In the Gateways & Servers view, double-click the gateway object. The General Properties window of the gateway opens. |
2 |
Go to the Network Security tab, and select Threat Extraction The Threat Extraction First Time Activation Wizard opens:
Note - In a ClusterXL High Availability environment, do this once for the cluster object. |

Configure Threat Extraction to scan one or all of these types of documents.
-
For Threat Extraction to scan e-mail attachments, enable the gateway as a Mail Transfer Agent
Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA. (MTA) (see Enabling MTA on the Security Gateway).
-
From R80.30, Threat Extraction can also scan web downloads.
To enable web downloads scan
In SmartConsole, go to the Security Policies
Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. view > Threat Prevention > Custom Policy Tools > Profiles > double-click a profile > Threat Extraction > General > Protocol, and select Web (HTTP/HTTPS).
-
For Threat Extraction API support, in the gateway editor, go to Threat Extraction > Web API > Enable API.
Configuring LDAP
If you use LDAP for user authentication, you must activate User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. for Security Gateways.

Step |
Instructions |
---|---|
1 |
Open SmartConsole > Global Properties. |
2 |
On the User Directory page, select Use User Directory for Security Gateways. |
3 |
Click OK. |
Installing the Threat Prevention Policy
The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

Step |
Instructions |
---|---|
1 |
From the Global toolbar, click Install Policy. The Install Policy window opens showing the installation targets (Security Gateways). |
2 |
Select Threat Prevention. |
3 |
|
4 |
Click OK. |
Disabling the Threat Prevention Blades
When you disable all the Threat Prevention Software Blades in a Security Gateway object, you must click the "Install Policy" button and then click the "Uninstall Threat Prevention Policy" link.
Predefined Rule
When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any, see Protected Scope) is inspected for all protections according to the Optimized profile. (see Profiles Pane). By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.
The result of this rule (according to the Optimized profile) is that:
-
When an attack meets the below criteria, the protections are set to Prevent mode
-
Confidence Level - Medium or above
-
Performance Impact - Medium or above
-
Severity - Medium or above
-
-
When an attack meets the below criteria, the protections are set to Detect mode
-
Confidence Level - Low
-
Performance Impact - Medium or above
-
Severity - Medium or above
-
Use the Logs & Monitor page to show logs related to Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.
You can add more exceptions that prevent or detect specified protections or have different tracking settings.