Threat Prevention Profiles
Introducing Profiles
Check Point Threat Prevention provides instant protection based on pre-defined Threat Prevention Profiles. You can also configure a custom Threat Prevention profile to give the exact level of protection that the organization needs.
When you install a Threat Prevention policy on the Security Gateways, they immediately begin to enforce IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protection on network traffic.
A Threat Prevention profile determines which protections are activated, and which Software Blades are enabled for the specified rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. or policy.
The protections that the profile activates depend on the following
-
Performance impact of the protection
-
Severity of the threat
-
Confidence that a protection can correctly identify an attack
-
Settings that are specific to the Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.
A Threat Prevention profile applies to one or more of the Threat Prevention Software Blades: IPS, Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX..
A profile is a set of configurations based on
-
Activation settings (prevent, detect, or inactive) for each confidence level of protections that the ThreatSpect engine analyzes
-
IPS Settings
-
Anti-Virus Settings
-
Threat Emulation Settings
-
Threat Extraction Settings
-
Malware DNS Trap configuration
Without profiles, it would be necessary to configure separate rules for different activation settings and confidence levels. With profiles, you get customization and efficiency.
SmartConsole includes these default Threat Prevention profiles
|
Profile |
Description |
|---|---|
|
Optimized |
Provides excellent protection for common network products and protocols against recent or popular attacks |
|
Strict |
Provides a wide coverage for all products and protocols, with impact on network performance |
|
Basic |
Provides reliable protection on a range of non-HTTP protocols for servers, with minimal impact on network performance |
Optimized Protection Profile Settings
The Optimized profile is activated by default, because it gives excellent security with good gateway performance.
These are the goals of the Optimized profile, and the settings that achieve those goals
|
Goal |
Parameter |
Setting |
|---|---|---|
|
Apply settings to all the Threat Prevention Software Blades |
Blades Activation |
Activate the profile for IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction. |
|
Do not have a critical effect on performance |
Performance impact |
Activate protections that have a Medium or lower effect on performance. |
|
Protect against important threats |
Severity |
Protect against threats with a severity of Medium or above. |
|
Reduce false-positives |
Confidence |
Set to Prevent the protections with an attack confidence of Medium or High. Set to Detect the protections with a confidence of Low. |
Profiles Pane
The pane shows a list of profiles that have been created, their confidence levels, and performance impact settings.
The Profiles pane contains these options
|
Option |
Meaning |
|---|---|
|
New |
Creates a new profile. |
|
View |
Shows an existing profile. |
|
Edit |
Modifies an existing profile. |
|
Clone |
Creates a copy of an existing profile. |
|
Delete |
Deletes a profile. |
|
Where Used |
Shows you reference information for the profile. |
|
Search |
Searches for a profile. |
|
Last Modified |
Shows who last modified the selected profile, when and on which client. |
Performance Impact
Performance impact is how much a protection affects the gateway performance. Some activated protections might cause issues with connectivity or performance. You can set protections to not be prevented or detected if they have a higher impact on gateway performance.
There are three options
-
High or lower
-
Medium or lower
-
Low or lower
- Very low
Severity
Severity of the threat. Probable damage of a successful attack to your environment.
There are three degrees of severity
-
Low or above
-
Medium or above
-
High or above
- Critical
Activation Settings
|
Setting |
Description |
|---|---|
|
Ask |
The Software Blade blocks the file or traffic until the user makes sure that the Security Gateway The user decides if the file or traffic are allowed or not. The decision itself is logged in the User Response field in the Ask |
|
Prevent |
The Software Blade blocks the file or traffic from passing through the Security Gateway. It also logs the traffic, or tracks it, according to configured settings in the Rule Base |
|
Detect |
The Software Blade allows identified file or traffic to pass through the Security Gateway. It also logs the traffic, or tracks it, according to configured settings in the Rule Base. |
|
Inactive |
The Software Blade deactivates a protection. |
Confidence Level
The confidence level is how confident the Software Blade is that recognized attacks are actually virus or bot traffic. Some attack types are more subtle than others and legitimate traffic can sometimes be mistakenly recognized as a threat. The confidence level value shows how well protections can correctly recognize a specified attack.
Creating Profiles
You can choose from multiple pre-configured Profiles, but not change them. You can create a new profile or clone a profile. When you create a new profile, it includes all the Threat Prevention Software Blades by default.
When HTTPS inspection is enabled on Security Gateway, Threat Emulation, Anti-Bot, and Anti-Virus can analyze the applicable HTTPS traffic.
To create a new Threat Prevention profile
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole |
|
2 |
From the Custom Policy Tools section, click Profiles. The Profiles page opens. |
|
3 |
Right-click a profile and select New. |
|
4 |
Configure the settings for the profile. |
|
5 |
Click OK. |
|
6 |
Install the Threat Prevention policy. |
Cloning Profiles
You can create a clone of a selected profile and then make changes. You cannot change the out-of-the-box profiles: Basic, Optimized, and Strict.
To clone a Threat Prevention profile
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole, select Security Policies > Threat Prevention. |
|
2 |
From the Custom Policy Tools section, click Profiles. The Profiles page opens. |
|
3 |
Right-click the profile and select Clone. |
|
4 |
The Name field shows the name of the copied profile plus _copy. |
|
5 |
Rename the profile. |
|
6 |
Click OK. |
|
7 |
Publish the SmartConsole session. |
Editing Profiles
You can change the settings of the Threat Prevention profile according to your requirements.
To edit a profile
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole, select Security Policies > Threat Prevention. |
|
2 |
From the Custom Policy Tools section, click Profiles. The Profiles page opens. |
|
3 |
Right-click the profile and select Edit. |
Deleting Threat Prevention Profiles
You can delete a profile, but you cannot delete the default Threat Prevention profiles.
To delete a profile
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole, select Security Policies > Threat Prevention. |
|
2 |
From the Custom Policy Tools section, click Profiles. The Profiles page opens. |
|
3 |
Right-click the profile, and click Delete. A window opens and shows a confirmation message. |
|
4 |
Click Yes. If the profile is used by another object, you cannot delete it. The error message is shown in the Tasks window. |
|
5 |
In SmartConsole, install the policy. |
To show the objects that use a profile
|
Step |
Instructions |
|---|---|
|
1 |
From the Profiles page, select the profile. The Summary page opens. |
|
2 |
From the Where Used section in the Summary tab, click Where Used. The Where Used window opens and shows the profile. |
|
3 |
Right-click the rule and select View in policy. |
Viewing Changes to a Threat Prevention Profile
You can view the Audit log and see changes that were made to a Threat Prevention profile.
To view the Audit log for a Threat Prevention profile
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole, click Logs & Monitor. |
|
2 |
Click the Audit tab, or press CTRL + T, and then click Open Audit Logs View. |
|
3 |
In Enter search query, enter the name of the profile. |
|
4 |
To refine the search:
|
|
5 |
To see more information about the changes to a profile, double-click the Audit log. |
Assigning Profiles to Gateways
When you enable the IPS Software Blade on a pre-R80 gateway, a default IPS rule is automatically created in the IPS policy layer of the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. The Action of this rule is set according to the IPS setting of the assigned Threat Prevention Profile. You can change the profile from the Action column.
Note - Only the IPS settings from the Threat Prevention Profile apply to the IPS Policy.
To assign a profile to a gateway
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole, select Security Policies > Threat Prevention > Policy > IPS. |
|
2 |
Click the Action cell, and select the Threat Prevention profile. |
|
3 |
Install the Access Control policy. |