Configuring Threat Emulation on the Security Gateway - Autonomous Threat Prevention

Important -On the 3900 appliances, Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. does not support Local Emulation (Known Limitation PMTR-115010).

Preparing for Local or Remote Emulation

For deployments that use a Threat Emulation appliance, prepare the network and Threat Emulation appliance for Local or Remote deployment in the internal network.

Step	Instructions
1	Open SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
2	Create the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object for the Threat Emulation appliance.
3	If you are running emulation on HTTPS traffic, configure the settings for HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. (see HTTPS Inspection).
4	Make sure that the traffic is sent to the appliance according to the deployment: Local Emulation - The Threat Emulation appliance receives the traffic. The appliance can be configured for traffic the same as a Security Gateway. Remote Emulation - The traffic is routed to the Threat Emulation appliance.

Changing the Analysis Location

You can select or change the location of the emulation analysis in the Threat Emulation page in Gateway Properties.

To select the location of the emulation analysis

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation. The Threat Emulation page opens.
3	From the Analysis Location section, select the emulation location: According to the gateway - According to the gateway configuration. Specify: Check Point ThreatCloud - Files are sent to the Check Point ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. for emulation. Local Gateway - This Security Gateway does the emulation. Remote Emulation Appliances - Remote appliances do the emulation. You can select one or more appliances on which the emulation is performed.
4	Optional: Select Emulate files on ThreatCloud if not supported locally. If files are not supported on the Threat Emulation appliance and they are supported in the ThreatCloud, they are sent to the ThreatCloud for emulation. No additional license is necessary for these files.
5	Click OK.
6	Install the policy on the Threat Emulation appliance.

Setting the Activation Mode

You can change the Threat Emulation protection Activation Mode of the Security Gateway or Threat Emulation appliance. The emulation can use the action defined in the Threat Prevention policy or only Detect UserCheck rule action that allows traffic and files to enter the internal network and logs them. and log malware.

To configure the activation mode

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation. The Threat Emulation page opens.
3	From the Activation Mode section, select one of these options: According to policy Detect only
4	Click OK, and then install the policy.

Optimizing System Resources

The Resource Allocation settings are only for deployments that use a Threat Emulation appliance. Threat Emulation uses system resources for emulation to identify malware and suspicious behavior. You can use the Resource Allocation settings to configure how much of the Threat Emulation appliance resources are used for emulation. When you change these settings, it can affect the network and emulation performance.

You can configure the settings for these system resources:

Minimum available hard disk space (If no emulation is done on a file, the Threat Prevention Fail Mode settings determine if the file is allowed or blocked.
Maximum available RAM that can be used for Virtual Machines.

If you plan to change the available RAM, these are the recommended settings:

If the appliance is only used for Threat Emulation, increase the available RAM.
If the appliance is also used for other Software Blades, decrease the available RAM.

To optimize the system resources for the Threat Emulation appliance

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation > Advanced. The Advanced page opens.
3	Stopping the emulation is determined when the Log storage mechanism automatically deletes log files. Therefore, in order to change the relevant configured value (Note - It also affects the Log's files deletion). Navigate to Logs > Local Storage >. And from When disk space is below `<value>`Start deleting old files, you can change the `<value>`.
4	To configure the maximum amount of RAM that is available for emulation, select Limit memory allocation. The default value is 70% of the total RAM on the appliance.
5	Optional. To change the amount of available RAM: Click Configure. The Memory Allocation Configuration window opens. Enter the value for the memory limit: % of total memory - Percentage of the total RAM that Threat Emulation can use. Valid values are between 20 - 90%. MB - Total MB of RAM that Threat Emulation can use. Valid values are between 512 MB - 1000 GB. Click OK.
6	From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation: None - No action is done Log - The action is logged Alert - An alert is sent to SmartView Monitor
7	Click OK.
8	Install the Threat Prevention Policy.

Managing Images for Emulation

You can define the operating system images that Threat Emulation uses, for each appliance, and for each Threat Emulation profile. If different images are defined for a profile and for an appliance, Threat Emulation uses the images that are selected in both places. An image that is selected only for the appliance or for the profile is not used for emulation.

To manage the images that the appliance uses for emulation

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation > Advanced. The Advanced page opens.
3	From the Image Management section, select the applicable option for your network: Use all the images that are assigned in the policy - The images that are configured in the Emulation Environment window are used for emulation. Use specific images - Select one of more images that the Security Gateway can use for emulation.
4	Click OK.
5	Install the Threat Prevention Policy.