Threat Prevention Policy Layers

You can create a Threat Prevention Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. with multiple Ordered Layers. Ordered Layers help you organize your Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base to best suit your organizational needs. You can divide the Ordered Layers by services or networks. Each Ordered Layer calculates its action separately from the other Layers. In case of one Layer in the policy package, the rule enforced is the first rule matched. In case of multiple Layers:

If a connection matches a rule in only one Layer, then the action enforced is the action in that rule.
When a connection matches rules in more than one Layer, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. enforces the strictest action and settings.

Important - When the Threat Prevention blades run in MTA mode, the Security Gateway enforces the automatic MTA rule, which is created when MTA is enabled on the Security Gateway.

Action Enforcement in Multiple-Layered Security Policies

These examples show which action the Security Gateway enforces when a connection matches rules in more than one Ordered Layers.

Example 1

	Data Center Layer	Corporate LAN Layer
Rule matched	Rule 3	Rule 1
Profile action	Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message.	Detect UserCheck rule action that allows traffic and files to enter the internal network and logs them.

Enforced action: Prevent

Example 2

	Data Center Layer	Corporate LAN Layer
Rule matched	Rule 3	Rule 1
Profile action	Prevent	Detect
Exception for protection X	Inactive	-

Enforced action for protection X: Detect

Example 3

	Data Center Layer	Corporate LAN Layer
Rule matched	Rule 3	Rule 1
Profile action	Prevent	Detect
Override for protection X	Detect	-
Exception for protection X	Inactive	-

Exception is prior to override and profile action. Therefore, the action for the Data Center Layer is Inactive.

The action for the Corporate LAN Layer is Detect.

Enforced action for protection X: Detect.

Example 4

	Data Center Layer	Corporate LAN Layer
Rule matched	Rule 3	Rule 1
Profile action	Deep Scan all files	Process specific file type families: Inspect doc files and Drop rtf files.

Enforced action: Deep Scan doc files and Drop rtf files.

Example 5

MIME nesting level and Maximum archive scanning time

The strictest action is:

Block combined with the minimum nesting level/scanning time, or

Allow combined with the maximum nesting level/scanning time, or

If both Block and Allow are matched, the enforced action is Block.

Example 6

UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy.

	HR Layer	Finance Layer	Data Center Layer 3
Rule matched	Rule 3	Rule 1	Rule 4
Profile action	Detect	Prevent	Prevent
Configured page	Page A	Page B	Page C

The first Layer with the strictest action is enforced.

Enforced Action: Prevent with UserCheck Page B.

Creating a New Ordered Layer

This section explains how to create a new Threat Prevention Ordered Layer. You can configure reuse of Threat Prevention Ordered Layers in different Policy Packages, and set different administrator permissions per Threat Prevention Layer.

To create a new Threat Prevention Layer:

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention.
Right-click Policy and select Edit Policy.
In the General tab, go to Threat Prevention and click the + sign.
Select New Layer.

The New Threat Prevention Layer window opens
Enter the Layer Name.
Optional: In the General tab, in the Sharing area, you can configure reuse of the layer in different policy packages. Select Multiple policies and rules can use this layer.

In the Permissions tab, select the permission profiles that can edit this layer.

Note - There is no need to add permission profiles that are configured to edit all layers.

Click OK.