Configuring Threat Extraction on the Security Gateway - Autonomous Threat Prevention

Step

Instructions

1

In the Gateways & Servers view, double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object and click the Threat Extraction page.

2

Make sure the Activation Mode is set to Active.

3

In the Resource Allocation section, configure the resource settings.

4

Click OK.

5

Install Policy.

For Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. API support, open the Security Gateway object, go to Threat Extraction > Web API > Enable API.

Threat Extraction and Endpoint Security

When both the Threat Extraction blade and the SandBlast Agent for Browsers are activated on the network Security Gateway, a special configuration is required. Without this configuration, when you download a file, it can be cleaned twice, both by the Threat Extraction blade and by the SandBlast Agent.

To prevent this, the Security Gateway adds a digital signature to all the files cleaned by the Threat Extraction blade. When the SandBlast Agent intercepts a downloaded file. If the digital signature is verified successfully, SandBlast Agent does not clean the file, so the file is not cleaned twice.

For details on how to configure the digital signature on the Security Gateway and how to configure the Endpoint management, see sk142732.

Configuring Threat Extraction in a Cluster

The clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configuration is similar to Security Gateway configuration, except for specific instructions that are only relevant to cluster.

Step

Instructions

1

In the Gateways & Servers view, right-click the cluster and click edit.

2

Open the ClusterXL and VRRP page.

3

Select High Availability.

Notes:

  • Only the High Availability mode is supported.

  • The original files are synchronized between the Cluster Members. In case of a failure, there is still access to the original files.

Threat Extraction Statistics

Step

Instructions

1

Connect to the command line on the Security Gateway with the Threat Extraction enabled.

2

Run these commands:

  • cpview

  • cpstat scrub -f threat_extraction_statistics

Using the Security Gateway CLI

In this menu, you can:

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster..

2

Log in to the Expert mode.

3

Run:

scrub

The menu shows these options:

Option

Description

debug

Controls debug messages.

queues

Shows information on Threat Extraction queues.

This command helps you understand the queue status and load on the mail transfer agent (MTA) and the scrubd daemon.

The command shows:

  • Number of pending requests from the MTA to the scrubd daemon

  • Maximum number pending requests from the MTA to the scrubd daemon

  • Current number of pending requests from scrubd to scrub_cp_file_convert

  • Maximum number of pending requests from scrubd to scrub_cp_file_convert

send_orig_email

Sends original email to recipients.

To send the original email get:

  • The reference number - Click on link in the email received by the user.

  • The email ID - Found in the Logs & Events logs or debug logs.

bypass

Bypasses all files.

Use this command to debug issues with the scrubd (Threat Extraction) daemon.

When you set bypass to active, requests from the mail transfer agent (MTA) to the scrub daemon are not handled.

Threat Extraction is suspended. No files are cleaned.

counters

Shows and resets counters.

update

Manages updates from the download center.

send_orig_file

Sends original file by email.

cache

Shows and resets cache.

backup_expired_mail

Backs up expired mails to external storage.

Storage of Original Files

The Threat Extraction blade reconstructs files (cleans or converts files to PDF) to eliminate potentially malicious content. After the Threat Extraction blade reconstructs the files, the original files are saved on the gateway for a default period.

Mail attachments are saved for a default period of 14 days.

To configure a different number of days for storage of mail attachments:

Step

Instructions

1

From the left navigation panel, click Gateways & Servers.

2

Open the Security Gateway / Cluster object.

3

From the left tree, click Threat Extraction.

4

Click Resource Allocation > Delete stored original files older than x Days.

5

Change the number of days as required. The maximum is 45 days.

6

Click OK.

7

Install the Threat Prevention Policy.

To save the files for a longer period, you must back them up to external storage (see Backup to External Storage).

Web downloads are saved for a default period of 2 days.

To configure a different number of days for storage of web downloads:

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster Member.

2

Log in to the Expert mode.

3

Edit the $FWDIR/conf/scrub_debug.conf file.

4

Search for http_keep_original_duration and change the value as required. Value can be between 2 and 45 days.

5

Save the changes in the file and exit the editor.

To save the files for a longer period, you must back them up to external storage (see Backup to External Storage).

Backup to External Storage

When you run out of disk space, you can back e-mail attachments or web downloads to external storage.

Notes:

  • In a cluster, you must configure all Cluster Members in the same way.

  • End-users cannot access files on external storage. Only the administrator can access these files.

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster Member.

2

Log in to the Expert mode.

3

Create the backup folder:

mkdir /mnt/<local_backup_folder>

Example:

mkdir /mnt/MyLocalBackupFolder

4

Mount the backup folder to the remote folder:

mount -t cifs <remote_folder> /mnt/<local_backup_folder>

Example:

mount -t cifs //MyServer/MyBackupFolder /mnt/MyLocalBackupFolder

Best Practice - To preserve the mount configuration after reboot, configure a Scheduled Job to run the applicable "mount" command at startup (in Gaia PortalClosed Web interface for the Check Point Gaia operating system., go to System Management > Job Scheduler).

5

Edit the $FWDIR/conf/scrub_debug.conf file:

vi $FWDIR/conf/scrub_debug.conf

6

Search for this section:

:external_storage.

  1. Change the enabled value from "0" to "1".

  2. In the external_path parameter, write the full path to the local backup folder.

  3. The expired_in_days parameter sets the backup date.

    The value you enter for this parameter specifies how many days before expiration the backup is performed.

Example:

:external_storage (
    :enabled (1)
    :external_path ("/mnt/MyLocalBackupFolder")
    :expired_in_days (5)

7

Configure the applicable values:

  1. Change the enabled value from "0" to "1".

  2. In the external_path parameter, write the full path to the local backup folder.

  3. The expired_in_days parameter sets the backup date.

    The value you enter for this parameter specifies how many days before expiration the backup is performed.

Example:

:external_storage (
    :enabled (1)
    :external_path ("/mnt/MyLocalBackupFolder")
    :expired_in_days (5)

8

Save the changes in the file and exit the editor.

Run this command:

scrub backup_expired_mail <days for expired entries> <external_path>

In "<days for expired entries>" enter "0".