Configuring Threat Emulation on the Security Gateway - Custom Threat Prevention

Changing the Analysis Location

When you run the Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. First Time Configuration Wizard, you select the location of the emulation analysis. You can use the Threat Emulation window in Gateway Properties to change the location.

Note - The Threat Prevention policy defines the analysis location that is used for emulation (see Threat Emulation Environment).

To select the location of the emulation analysis

Step	Instructions
1	Double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation. The Threat Emulation page opens.
3	From the Analysis Location section, select the emulation location: According to the gateway - According to the gateway configuration. Specify: Check Point ThreatCloud - Files are sent to the Check Point ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. for emulation. Local Gateway - This Security Gateway does the emulation. Remote Emulation Appliances - Remote appliances do the emulation. You can select one or more appliances on which the emulation is performed.
4	Optional: Select Emulate files on ThreatCloud if not supported locally. If files are not supported on the Threat Emulation appliance and they are supported in the ThreatCloud, they are sent to the ThreatCloud for emulation. No additional license is necessary for these files.
5	Click OK.
6	Install the policy on the Threat Emulation appliance.

Setting the Activation Mode

You can change the Threat Emulation protection Activation Mode of the Security Gateway or Threat Emulation appliance. The emulation can use the Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. action that is defined in the Threat Prevention policy or only Detect UserCheck rule action that allows traffic and files to enter the internal network and logs them. and log malware.

To configure the activation mode

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation. The Threat Emulation page opens.
3	From the Activation Mode section, select one of these options: According to policy Detect only
4	Click OK, and then install the policy.

Optimizing System Resources

The Resource Allocation settings are only for deployments that use a Threat Emulation appliance. Threat Emulation uses system resources for emulation to identify malware and suspicious behavior. You can use the Resource Allocation settings to configure how much of the Threat Emulation appliance resources are used for emulation. When you change these settings, it can affect the network and emulation performance.

You can configure the settings for these system resources:

Minimum available hard disk space (If no emulation is done on a file, the Threat Prevention Fail Mode settings determine if the file is allowed or blocked.
Maximum available RAM that can be used for Virtual Machines.

If you plan to change the available RAM, these are the recommended settings:

If the appliance is only used for Threat Emulation, increase the available RAM.
If the appliance is also used for other Software Blades, decrease the available RAM.

To optimize the system resources for the Threat Emulation appliance

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation > Advanced. The Advanced page opens.
3	Stopping the emulation is determined when the Log storage mechanism automatically deletes log files. Therefore, in order to change the relevant configured value (Note - It also affects the Log's files deletion). Navigate to Logs > Local Storage >. And from When disk space is below `<value>`Start deleting old files, you can change the `<value>`.
4	To configure the maximum amount of RAM that is available for emulation, select Limit memory allocation. The default value is 70% of the total RAM on the appliance.
5	Optional. To change the amount of available RAM: Click Configure. The Memory Allocation Configuration window opens. Enter the value for the memory limit: % of total memory - Percentage of the total RAM that Threat Emulation can use. Valid values are between 20 - 90%. MB - Total MB of RAM that Threat Emulation can use. Valid values are between 512 MB - 1000 GB. Click OK.
6	From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation: None - No action is done Log - The action is logged Alert - An alert is sent to SmartView Monitor
7	Click OK.
8	Install the Threat Prevention Policy.

Managing Images for Emulation

You can define the operating system images that Threat Emulation uses, for each appliance, and for each Threat Emulation profile. If different images are defined for a profile and for an appliance, Threat Emulation will use the images that are selected in both places. An image that is selected only for the appliance or for the profile will not be used for emulation.

To manage the images that the appliance uses for emulation

Step	Instructions
1	Double-click the Security Gateway object of the Threat Emulation appliance. The Gateway Properties window opens.
2	From the navigation tree, select Threat Emulation > Advanced. The Advanced page opens.
3	From the Image Management section, select the applicable option for your network: Use all the images that are assigned in the policy - The images that are configured in the Emulation Environment window are used for emulation. Use specific images - Select one of more images that the Security Gateway can use for emulation.
4	Click OK, and then install the policy.

Additionally Supported Protocols for Threat Emulation

In addition to HTTP, FTP and SMTP protocols, which you can select in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., the Threat Emulation Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. also supports the IMAP and POP3 protocols:

To activate IMAP protocol support

Step	Instructions
1	Connect to the command line on your Security Gateway.
2	Log in to the Expert mode.
3	Back up this file: `$FWDIR/conf/malware_config` Run: `cp -v $FWDIR/conf/malware_config{,_BKP}`
4	Edit this file: `$FWDIR/conf/malware_config` Run: `vi $FWDIR/conf/malware_config`
5	In the `[imap]` section, change the value of this parameter: `imap_av_policy_on` from "`0`" to "`1`"
6	Save the changes in the file and exit the Vi editor.
7	Install the Threat Prevention Policy.

To activate POP3 protocol support

Step	Instructions
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Back up the file: `$FWDIR/conf/malware_config` Run: `cp -v $FWDIR/conf/malware_config{,_BKP}`
4	Edit the file: `$FWDIR/conf/malware_config` Run: `vi $FWDIR/conf/malware_config`
5	In the `[temp_for_av_profile]` section, change the value of the parameter `pop3_enabled` from "`0`" to "`1`".
6	Save the changes in the file, and then exit the Vi editor.
7	Install the Threat Prevention Policy.