Getting Started with Custom Threat Prevention

You can configure Threat Prevention to give the exact level of protection that you need, or you can decide to use the out-of-the-box configuration.

1. Enable Custom Threat Prevention Software Blades in the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

   The Anti-Virus and Anti-Bot & Advanced DNS Software Blades

   Starting from R82, the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. & Advanced DNS Software Blades are enabled by default on each new Security Gateway or Cluster Member Security Gateway that is part of a cluster.. For more information, see sk182106.

   Note - This does not apply to the Traditional VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode. In the Traditional VSX Virtual Systems, you must enable these Software Blades manually.

   Enabling the IPS Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, select IPS.
   3	Follow the steps in the wizard that opens.
   4	Click OK.
   5	Click OK in the General Properties window.

   Enabling the Threat Emulation Software Blade

   When you enable Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., the wizard automatically gives you the option to enable Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX..

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The Gateway Properties window opens.
   2	In the General Properties > Network Security tab, select SandBlast Threat Emulation. The Threat Emulation wizard opens and shows the Emulation Location page.
   3	Select the Emulation Location: ThreatCloud Emulation Service Locally on this Threat Emulation appliance Other Threat Emulation appliances
   4	Click Next. The Activate Threat Extraction window opens, with this checkbox selected: Clean potentially malicious parts from files (Threat Extraction) To activate Threat Extraction, keep this checkbox selected: If you do not want to activate Threat Extraction, clear this checkbox.
   5	Click Next. The Summary page opens. Note - If you selected the Emulation Location as Locally on this Threat Emulation appliance or Other Threat Emulation appliances, and you want to share Threat Emulation information with ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware., select Share attack information with ThreatCloud.
   6	Click Finish to enable Threat Emulation (and if selected, Threat Extraction), and then close the First Time Configuration Wizard.
   7	Click OK. The Gateway Properties window closes.

   Note - When a trial license is installed on the Security Gateway, a green "V" incorrectly appears next to the Threat Emulation Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. (in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Gateways & Servers view > right-click the Security Gateway / Cluster object > click Monitor) > the Device and License Information window opens > Device Status > Threat Emulation). To see the correct license status, go to the License Status tab in the Device and License Information window.

   Using Cloud Emulation

   Files are sent to the Check Point ThreatCloud over a secure TLS connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

   Best Practice - For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.

   Enabling the Threat Extraction Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, and select Threat Extraction. Note - In a ClusterXL High Availability environment, do this once for the cluster object.

   Notes: When you enable Threat Extraction, web download scan is automatically enabled. For Threat Extraction to scan e-mail attachments, configure the Security Gateway as a Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA. (MTA) (see Configuring the Security Gateway as a Mail Transfer Agent). For Threat Extraction API support, in the Security Gateway Properties, go to Threat Extraction > Web API > Enable API.

   Enabling the Zero Phishing Software Blade

   Step	Instructions
   1	In the Gateways & Servers view, double-click the Security Gateway / Cluster object. The General Properties window opens.
   2	In the General Properties > Network Security tab, select Zero Phishing. The Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. First Time Configuration Wizard opens
   3	In the FQDN Configuration window, select one of these two options for In-Browser Zero Phishing:   Use automatic settings (recommended) When you enable Zero Phishing with the automatic settings, a new interface is created in the Security Gateway infrastructure in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems., called tp_dummy or tp_dummy_X (for VSX). This is a dummy interface which is intentionally isolated from external access. This interface has a constant IP and allows Zero Phishing clients to communicate with the Security Gateway. When automatic settings are used, the client communicates with the Security Gateway using the FQDN "zero-phishing.iaas.checkpoint.com". Automatic configuration additionally resolves the challenge of private network accessibility that arises during the inspection of HTTP pages for customers who manually added an FQDN which resolves to an IP within the private address space. Gateway FQDN (Fully Qualified Domain Name) If you select this option, make sure that the FQDN is registered in the DNS records of your DNS server.
   4	The Zero Phishing Software Blade is now active.
   5	Install both the Access Control and the Threat Prevention policies.

   Notes: Make sure that Zero Phishing portal is configured to work on a public IP address. For more information, see sk178769. To ensure that the configuration was applied successfully, visit this page both with HTTP and HTTPS: http://zp-demo.com/verification/zphi_check.html https://zp-demo.com/verification/zphi_check.html If the test is successful, this message appears: In-Browser Zero Phishing feature is working properly. Clients must have direct access to the Zero Phishing FQDN. If you use the Security Gateway as a non-transparent proxy, you must configure the clients to add Zero Phishing FQDN to the proxy bypass.

2. Optional: Create your Custom Threat Prevention profiles based on the default Custom Threat Prevention profiles.

   See Threat Prevention Profiles.

3. Optional: Configure advanced Threat Prevention settings:

   • Security Gateway / Cluster object - Settings for Threat Prevention Software Blades and features.

   • Security Policies view > Threat Prevention > Exceptions

   • Security Policies view > Threat Prevention > click Custom Policy > refer to the Custom Policy Tools section

   • Security Policies view > HTTPS Inspection

   • Manage & Settings view > Blades > Threat Prevention > Advanced Settings

   • Security Gateway / each Cluster Member command line - Configuration commands and files (for example, for SSH Deep Inspection)

4. Configure the Custom Threat Prevention policy.

   Procedure

   If the default rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is not enough for your environment, configure the required rules. See Configuring the Threat Prevention Profile and Rules.

   When you enable one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. The rule defines that all traffic for all network objects, regardless of who opened the connection (the protected scope value equals any, see Protected Scope) is inspected for all protections according to the Optimized profile (see Profiles Pane). By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.

   Name	Protected Scope	Action	Track	Install On
   Out-of-the-box Threat Prevention policy	*Any	Optimized	Log Packet Capture	*Policy Targets

   Notes: The Optimized profile is installed by default (see Optimized Protection Profile Settings). The Protection/Site column is used only for protection exceptions (see Protection).

   The result of this rule (according to the Optimized profile) is that:

   • When an attack meets the below criteria, the protections are set to Prevent mode

     • Confidence Level - Medium or above

     • Performance Impact - Medium or lower

     • Severity - Medium or above

   • When an attack meets the below criteria, the protections are set to Detect mode

     • Confidence Level - Low

     • Performance Impact - Medium or above

     • Severity - Medium or above

5. Install the Custom Threat Prevention policy.

   Procedure

   The Custom Threat Prevention Software Blades have a dedicated Threat Prevention policy.

   You can install this policy separately from the policy installation of the Access Control Software Blades.

   Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

   Step	Instructions
   1	From the Global toolbar, click Install Policy. The Install Policy window opens showing the installation targets (Security Gateways).
   2	Select Threat Prevention.
   3	Select the Install Mode: Install on each selected gateway independently Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways. If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them. Install on all selected gateways, if it fails do not install on gateways of the same version Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
   4	Click OK.