Threat Prevention Policy Insights

Threat Prevention Policy Insights simplifies the management of the Threat Prevention policy and profiles by providing administrators with actionable, environment-specific insights.

Check Point's Infinity Cloud calculates the insights and they are displayed per Policy Layer Layer (set of rules) in a Security Policy..

Key benefits

• Reduces administrator effort with fast, one-click remediation actions.

• Provides customized insights based on analysis of traffic passing through the Security Gateways.

• Optimizes security and performance by

  • Detecting misconfigurations and configuration gaps

  • Identifying high CPU-consuming protections

  • Highlighting unoptimized Threat Prevention settings.

Supported Environments

• R82.10 and higher Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server., High Availability, and Multi-Domain Security Management Servers.

• Any Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. that is managed by a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. running R82.10 or higher.

• Threat Prevention Policy Insights is available only for environments hosted in the EU and US regions.

Limitations

• Threat Prevention Policy Insights is not supported for (Undefined variable: Vars_CloudGuard.tp_smart1_cloud_old) environments.

• Autonomous Threat Prevention is not supported.

Prerequisites

• Threat Prevention Policy Insights requires appropriate Check Point license. For detailed licensing information, contact Account Services.

  Note - The license bundle for Threat Prevention Policy Insights includes license for Access Control Policy Insights. See Access Control Policy Insights for more information on this feature.

• Connect your Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to the Check Point Portal.

• Auto-update package (afw_AutoUpdate) version 82 or higher. The auto-update package is usually installed automatically when the version and Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. requirements are met. For manual installation instructions, see sk183421.

• For Web SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. users, Web SmartConsole Take 157 or higher.

Activating Threat Prevention Policy Insights

Note - Threat Prevention Policy Insights does not rely on Log Sharing or Configuration Sharing. Instead, it uploads Threat Prevention logs, profiles, rules, and objects to the Check Point Portal for analysis.

Procedure

1. In SmartConsole > Infinity Services view > locate the Policy Insights card:

   1. Toggle the switch to On.

   2. Accept the Terms and Conditions.

   The card status changes from Inactive to Initializing.

2. Make sure the Insights button appears in the top-left corner of the Threat Prevention Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

Notes: After the activation process, the log analysis may take several hours (up to 48 hours in large environments). Therefore, suggestions do not appear immediately. Some insights can appear within a few days, while others require a longer period of time to appear. The insight calculation process runs every two weeks.

Types of Insights

• Misconfiguration - Recommendations regarding settings that are incorrect, incomplete, or not aligned with best practices.

  For example: New IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protections configured to Staging mode instead of according to the profile settings (Prevent).

• Policy Optimization - Recommendations for streamlining security operations and enhancing security and performance.

  For example: An exception rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that is frequently matched, allowing malicious content into the environment.

• IPS Profile Tuning - Recommendations for adjusting IPS configuration based on protection usage and system impact.

  For example: Overriding default settings for specific IPS protections to better fit your environment.

• ERM (External Risk Management) - Recommendations based on emerging risk and response data, leveraging Check Point’s Infinity ERM platform.

  For example: Verifying whether external access to a server is necessary, when a server is identified as vulnerable based on a specific CVE.

  For information on how to activate ERM, see sk184656.

Click here for detailed information regarding each insight.

Managing Threat Prevention Policy Insights

To view insights for a Policy Layer

1. In SmartConsole, go to the Security Policies view > Threat Prevention.

2. Click the Insights button at the top-left corner.

Each category in the Threat Prevention Policy Insights window shows:

• The latest date on which the presented information is based.

• The number of suggestions in that category.

Confidence Level

Each insight is assigned a confidence level that reflects its reliability and accuracy.

For example: Longer observation periods provide more comprehensive data, increasing the reliability of the insight.

Severity

Each insight is assigned a severity level that reflects how critical it is to address the issue for maintaining the security of your environment.

Available Actions

For each insight, you can select one of these options:

• Apply - Accept the insight. Threat Prevention Policy Insights implements the change automatically.

  Note - For certain suggestions, automatic remediation is not available. In these cases, you must follow the provided instructions to perform manual remediation.

  Publish your session for the changes to take affect.

• Decline - Reject the insight. The insight moves to the Declined suggestions section.

  To return a declined suggestion to the Suggestions section, select the suggestion and click Undo decline.

• Decide later - Move the suggestion to the Decide later section. This is useful for insights that require additional consideration.

  In the Decide later, these are the available actions:

  • Apply - Accept the change.

  • Decline - Reject the change.

  • Move back - Move the suggestion back to the Suggestions section.

Filtering Insights

You can filter the suggestions based on these categories:

• Recommended (the default option) - Suggestions with the highest calculated security impact and confidence.

• All - Valuable suggestions.