Configuring Autonomous Threat Prevention
To configure Autonomous Threat Prevention in your environment, follow these steps:
-
Enable Autonomous Threat Prevention on the Security Gateway
Step
Instructions
1
In SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Gateways & Servers view, and right-click the required Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..2
In the General Properties page, go to the Threat Prevention tab, and select Autonomous Threat Prevention
-
Create an Autonomous Threat Prevention Policy
Step
Instructions
1
In SmartConsole, go to Security Policies > Autonomous Threat Prevention > Policy.
2
Click the default profile name to see the list of profiles, and select the required profile.
If you are not sure which profile to select, click the drop-down arrow next to the profile's name, and from the drop-down list, select Help me decide:
A table which specifies the differences between the profiles opens.
3
Based on the table, select the profile which best suits your needs.
4
Click OK.
Note - Each profile shows a list of the technologies that it uses.
-
Install the Autonomous Threat Prevention Policy
Step
Instructions
1
In SmartConsole, from the toolbar, select Install Policy.
The Install Policy window opens.
2
Select Threat Prevention.
3
Select the gateway targets for Policy installation.
Note - The Autonomous Threat Prevention Policy is installed on Security Gateways with Autonomous Threat Prevention enabled. Security Gateways with no Autonomous Threat Prevention enabled receive the Custom Threat Prevention Policy.
4
Click Install.
-
Using different Autonomous Threat Prevention profiles on different Security Gateways
You can use different Autonomous Threat Prevention profiles for different Security Gateways.
To do so, you must create a new policy package for each Security Gateway and follow the configuration steps, as follows:
Step
Instructions
1
In SmartConsole, create a new policy package.
From the main menu, click the drop-down arrow and select Manage policies and layers.
The Manage policies and layers window opens.
Click New and configure the new policy package.
For more information on policy packages, see the R82 Security Management Administration Guide.
2
Select the required Autonomous Threat Prevention profile.
3
Install the Threat Prevention policy on the applicable Security Gateway.
|
|
Note - MTA (Mail Transfer Agent |
Exceptions
Global exceptions are available for use by gateways configured with Autonomous Threat Prevention or a Custom Threat Prevention policy. Global exceptions that existed prior to the migration to Autonomous Threat Prevention are enforced in Autonomous Threat Prevention without any action needed.
To add global exceptions to the Autonomous Threat Prevention policy:
-
Go to the Security Policies view > Threat Prevention > Exceptions > Global Exceptions.
-
Add the applicable exceptions.
-
In the Install On column, select the gateways to which each exception applies.
Deployment
The Deployment Dashboard view:
-
Shows this information:
-
Security Gateways with HTTPS Inspection
Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. disabled. -
Security Gateways that do not support Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. (versions R81.10 and lower). -
Security Gateways with no FQDN configured (FQDN configuration is required only for Zero Phishing).
-
-
Lets you gradually deploy Threat Prevention policy in your networks. The Deployment Dashboard includes these protection modes:
-
According to profile - The settings of the Threat Prevention profile apply to the object. By default any traffic is protected according to profile, and this is the recommendation. If gradual deployment is needed, you can put specific network objects in "Detect only". We recommend to move these object to the According to profile mode after a short trial period.
-
No Protection - The object is not protected by the selected Threat Prevention profile. Traffic is allowed and is not logged.
-
Detect only - Traffic is allowed, but it is logged according to the Threat Prevention profile settings.
Note - You can easily drag and drop objects from any of the protection modes to any other protection mode.
By default, the No Protection and Detect Only columns are empty, and the According to Profile column has one object: Any. When you add an object to the No Protection column or the Detect Only column, the object in the According to Profile column changes from Any to All Other.
-
File Protections
In the File Protections page, you can:
-
View the protected file types and protection types for the selected Autonomous Threat Prevention profile.
-
Override the recommended file protections according to profile and select different protections.
To configure file protections
-
Go to Threat Prevention > Autonomous Threat Prevention > File Protections
-
Click on the + sign and configure the required protection.
These are the available protections:
-
Inspect - These technologies are operated: File Reputation, ThreatCloud
The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. and Sandbox. You can see Sandbox is enabled in the Sandbox column. -
Inspect & Clean - These technologies are operated: File Reputation, ThreatCloud, Sandbox and Sanitization (CDR). You can see Sandbox is enabled in the Sandbox column.
-
Block - Block the file.
-
Bypass - Do not inspect the file.
You cannot override the protections for file types which are not on the list. File types which are not on the list will be inspected in all profiles.
-
Settings
Sanitized File Settings
These options are selected by default:
-
Allow end-users to access the original files that are not malicious according to Sandbox - After a file is cleaned/sanitized, a banner with a link to original file is added to the document. An access to original file will be allowed only if the original file is found to be benign by all Threat Prevention engines, including Sandbox. If you clear this option, you will not be able to access the original file even if it is determined as non-malicious.
-
Modify the name of the cleaned file - Select this option to modify the name of the cleaned file.
Advanced Settings
You can override the profile definitions and enable or disable a certain feature or protection, as required. Use this tool to enable or disable DNS protections. We recommend to keep Sandbox, Sanitization and Archives deep scan On.
-
Click the plus (+) sign.
-
From the drop-down menu, select the required feature or protection.
-
Set to On or Off as required.
-
Click Apply.
-
Publish your changes.
Clearing NGTX Expiration Alerts in SmartConsole
After the NGTX license expires, and the NGTP license is installed, SmartConsole may still continue to display an error message regarding the expiration of the NGTX license. Starting from R82 Jumbo Hotfix Accumulator Take 41, you can disable the license status check for the NGTX Software Blades.
Procedure
-
Connect to the command line on the Security Gateway / each Cluster Member
Security Gateway that is part of a cluster. / Scalable Platform Security Group. -
If the default shell is the Expert mode, go to Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish:-
On a Security Gateway / each Cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member, run:clish -
On a Scalable Platform Security Group, run:
gclish
-
-
Disable the license status for the NGTX Software Blades. Run:
cplic ignore_expired_ngtx 1 -
Restart the Check Point services. Run:
cpstopcpstart -
If the Security Gateway / Cluster Member / Scalable Platform Security Group works in the VSNext / Traditional VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, disable the license status for the NGTX Software Blades in the context of each applicable Virtual Gateway / Virtual System:-
Go to the context of the applicable Virtual Gateway / Virtual System, and run:
set virtual-system <ID> -
Disable the license status for the NGTX Software Blades:
cplic ignore_expired_ngtx 1
-
-
Restart the Check Point services:
cpstopcpstart