The Threat Prevention Policy

Workflow for Creating a Threat Prevention Policy

Threat Prevention lets you customize profiles that meet the needs of your organization.

Ideally, you might want to set all protections to PreventClosed UserCheck rule action that blocks traffic and files and can show a UserCheck message. in order to protect against all potential threats. However, to let your gateway processes focus on handling the most important traffic and report only the most concerning threats, you need to determine the most effective way to apply the Threat Prevention settings.

When you define a new Threat Prevention profile, you can create a Threat Prevention Policy which activates only the protections that you need and prevents only the attacks that most threaten your network.

Step

Instructions

1

Enable the Threat Prevention Software Blades on the Security Gateways.

2

Update the IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). database and Malware database with the latest protections.

3

Optional: Create Policy Packages.

4

Optional: For each Policy Package, create Threat Prevention Policy Layers.

Note - For each Policy Layer, configure a Threat Prevention Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. with the Threat Prevention profile as the Action of the ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

5

Install the Threat Prevention policy.

To Learn More about Policy Packages

To learn more about Policy Packages, see the R81 Security Management Administration Guide.

Threat Prevention Policy Layers

You can create a Threat Prevention Rule Base with multiple Policy Layers. Policy Layers help you organize your Rule Base to best suit your organizational needs. You can divide the Policy Layers by services or networks. Each Policy Layer calculates its action separately from the other Layers. In case of one Layer in the policy package, the rule enforced is the first rule matched. In case of multiple Layers:

  • If a connection matches a rule in only one Layer, then the action enforced is the action in that rule.

  • When a connection matches rules in more than one Layer, the gateway enforces the strictest action and settings.

Important - When the Threat Prevention blades run in MTA mode, the gateway enforces the automatic MTA rule, which is created when MTA is enabled on the gateway.

Action Enforcement in Multiple-Layered Security Policies

These examples show which action the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. enforces when a connection matches rules in more than one Policy Layers.

The Layers "IPS" and "Threat Prevention" are pre-defined.

 

IPS Layer

Threat Prevention Layer

Rule matched

Rule 3

Rule 1

Profile action

Prevent

DetectClosed UserCheck rule action that allows traffic and files to enter the internal network and logs them.

Enforced action: Prevent

The Layers "IPS" and "Threat Prevention" are pre-defined.

 

IPS Layer

Threat Prevention Layer

Rule matched

Rule 3

Rule 1

Profile action

Prevent

Detect

Exception for protection X

Inactive

-

Enforced action for protection X: Detect

These Layers are user-defined.

 

Data Center Layer

Corporate LAN Layer

Rule matched

Rule 3

Rule 1

Profile action

Prevent

Detect

Override for protection X

Detect

-

Exception for protection X

Inactive

-

Exception is prior to override and profile action. Therefore, the action for the Data Center Layer is Inactive.

The action for the Corporate LAN Layer is Detect.

Enforced action for protection X: Detect.

These Layers are user-defined.

 

Data Center Layer

Corporate LAN Layer

Rule matched

Rule 3

Rule 1

Profile action

Deep Scan all files

Process specific file type families: Inspect doc files and Drop rtf files.

Enforced action: Deep Scan doc files and Drop rtf files.

MIME nesting level and Maximum archive scanning time

The strictest action is:

Allow combined with the maximum nesting level/scanning time,

OR

Block combined with the minimum nesting level/scanning time,

OR

If both Block and Allow are matched, the enforced action is Block.

This example is for UserCheckClosed Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy..

These Layers are user-defined.

The first Layer with the strictest action is enforced.

Enforced Action: Prevent with UserCheck Page B.

 

HR Layer

Finance Layer

Data Center Layer 3

Rule matched

Rule 3

Rule 1

Rule 4

Profile action

Detect

Prevent

Prevent

Configured page

Page A

Page B

Page C

Creating a New Policy Layer

This section explains how to create a new Threat Prevention Policy Layer. You can configure reuse of Threat Prevention Policy Layers in different Policy Packages, and set different administrator permissions per Threat Prevention Layer.

Step

Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention.

2

Right-click Policy and select Edit Policy.

3

In the General tab, go to Threat Prevention and click the + sign.

4

Select New Layer.

The New Threat Prevention Layer window opens.

5

Enter the Layer Name.

6

Optional: In the General tab, in the Sharing area, you can configure reuse of the layer in different policy packages. Select Multiple policies and rules can use this layer.

7

In the Permissions tab, select the permission profiles that can edit this layer.

Note - There is no need to add permission profiles that are configured to edit all layers.

8

Click OK.

Threat Prevention Layers in Pre-R80 Gateways

In pre-R80 versions, the IPS Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. was not part of the Threat Prevention Policy, and was managed separately. In R80.XX versions, the IPS Software Blade is integrated into the Threat Prevention Policy.

When you upgrade SmartConsole to R80.XX from earlier versions, with some Security Gateways upgraded to R80.XX, and other Security Gateways remaining in previous versions:

  • For pre-R80 gateways with IPS and Threat Prevention Software Blades enabled, the policy is split into two parallel layers: IPS and Threat Prevention.

    To see which Security Gateway enforces which IPS profile, look at the Install On column in the IPS Layer.

  • R80.XX gateways are managed separately, based on the R80 or higher Policy Layers. (see Threat Prevention Policy Layers).

Best Practice - For better performance, we recommend that you use the Optimized profile when you upgrade to R80 or higher from earlier versions.

Threat Prevention Rule Base

Each Threat Prevention Layer contains a Rule Base. The Rule Base determines how the system inspects connections for malware.

The Threat Prevention rules use the Malware database and network objects. Security Gateways that have Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. enabled can also use Access Role objects as the Protected Scope in a rule. The Access Role objects let you easily make rules for individuals or different groups of users.

There are no implied rules in this Rule Base, traffic is allowed or not allowed based on how you configure the Rule Base. For example, A rule that is set to the Prevent action, blocks activity and communication for that malware.

Parts of the Rules

The columns of a rule define the traffic that it matches and what is done to that traffic.

Number (No.)

The sequence of rules is important because the first rule that matches traffic according to a protected scope (see Protected Scope) and profile is applied.

For example, if rules 1 and 2 share the same protected scope and a profile in rule 1 is set to detect protections with a medium confidence level and the profile in rule 2 is set to prevent protections with a medium confidence level, then protections with a medium confidence level will be detected based on rule 1.

Name

  1. Give the rule a descriptive name. The name can include spaces.

  2. Double-click in the Name column of the rule to add or change a name.

  3. Click OK.

Protected Scope

Threat Prevention rules include a Protected Scope parameter. Threat Prevention inspects traffic to and/or from all objects specified in the Protected Scope, even when the specified object did not open the connection. This is an important difference from the Source object in Firewall rules, which defines the object that opens a connection.

For example, the Protected Scope includes a Network ObjectClosed Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies. named "MyWebServer". Threat Prevention inspects all files sent to "MyWebServer" for malware threats, even if "MyWebServer" did not open the connection.

  • Network objects, such as Security Gateways, clusters, servers, networks, IP ranges, and so on. From R80.10, dynamic objects and domain objects are also supported in the Threat Prevention Policy.

  • Network object groups

  • Updatable objects (from R80.40)

  • IP address ranges

  • Roles

  • Zones

  • Data Centers

For more details on the various types of objects, see the R81 Security Management Administration Guide.

You can set the Protected Scope parameter to Any. This option lets Threat Prevention inspect traffic based on the direction and interface type as defined by the Profile assigned to the applicable rule. By default, the predefined Optimized Rule sets the Protection Scope to Any.

Traffic Direction and Interface Type Settings

You can configure the traffic direction and Security Gateway interface types that send files to Threat Prevention for inspection. You do this in the Protected Scope section of the Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. or Threat Emulation Settings window.

  • Inspect incoming files from:

    Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

    • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.

    • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.

    • All - Inspect all incoming files from all interface types.

  • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.

When you select the Any option in the Protected Scope section of a rule, the traffic direction and interface type are defined by the Profile assigned to that rule. If you add objects to the Protected Scope in a rule, files that match these objects are inspected for all connections.

Using Protected Scope with SPAN and TAP Configurations

The default global parameter for SPAN and TAP configuration is set to inspect all. You can use these commands to configure the Security Gateway to use the Protected Scope settings for SPAN and TAP with Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE..

  • The "fw ctl set int" command - Changes current Protected Scope settings for SPAN and TAP, does not survive reboot

  • The $FWDIR/module/fwkern.conf file - This changes the settings after reboot.

Run these commands to set the SPAN port to use the Policy instead of the global default setting (inspect all)

# fw ctl set int te_handle_span_port_interfaces_according_to_topolgy 1

# echo "te_handle_span_port_interfaces_according_to_topolgy=1" >> $FWDIR/boot/modules/fwkern.conf

Limitations and Troubleshooting

  • If no topology is defined for the Security Gateway interfaces, all traffic is inspected or sent for emulation.

  • When you upgrade from R76 or lower, the Inspect incoming files option is set to All by default.

  • When the topology of the interfaces is defined and you are using SPAN or TAP modes, it is possible that some of the connections are not defined correctly.

Protection

The Protection/Site column shows the protections for the Threat Prevention policy.

  • For rules, this field is always set to n/a and cannot be changed. Protections for Rule Base rules are defined in the configured profile (in the Action column).

  • For rule exceptions and exception groups, this field can be set to one or more specified protections.

Step

Instructions

1

In SmartConsole, select Security Policies > Threat Prevention.

2

From the navigation tree, select a Policy Layer.

3

Right-click the rule and select New Exception.

An exception sub-rule is added to the policy.

4

Right-click the Protection/Site cell and select Add new items.

5

From the list of Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus, or IPS protections, click the add button of protections to add to the exception.

The protections are added to the exception sub-rule.

6

Install Policy.

Step

Instructions

1

Put your mouse cursor in the Protection/Site column and click the plus sign to open the Protection viewer.

2

Select the protection category.

3

Enter the malware name in the search field.

Action

Action refers to how traffic is inspected.

  • For rules, this is defined by the profile. The profile contains the configuration options for different confidence levels and performance impact (see Profiles Pane).

  • For rule exceptions and exception groups, the action can be set to Prevent or Detect.

Step

Instructions

1

Click in the Action column.

2

Select an existing profile from the list, create a new profile, or edit the existing profile.

Threat Prevention Track Options

Track Option

Description

None

Do not generate an alert.

Alert

Generate a log and run a command, such as display a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Menu > Global Properties > Log and Alert > Alerts.

Packet Capture

Adds raw IPS, Anti-Virus, Anti-BotClosed Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions., Threat Emulation and Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. packet data to the Threat Prevention logs. Only blocked packets are added. (see Packet Capture).

Forensics

Adds fields to the Threat Prevention logs. The extra information gives you a deeper understanding of an attack (see Advanced Forensics Details).

Install On

  1. Select the Security Gateways, on which to install the rule. The default is All (all Security Gateways that have a Threat Prevention blade enabled).

  2. Put your mouse in the column and a plus sign shows.

  3. Click the plus sign to open the list of available Security Gateways and select the applicable Security Gateway.

If you right-click a column in the table, you can add more columns to the table from the list that shows.