topic Re: Threat Emulation Quota Exceed in Firewall and Security Management

Threat Emulation Quota Exceed

Sagar_Manandhar — Tue, 25 Sep 2018 07:51:53 GMT

hi,

Checkpoint is showing that the quota has been exceeded at start up of the smartdashboard. What does that really mean? Does CP stop to emulated the file after it exceeded the file limit? CP has used the quota term in the documentation but not mention the exact quota we get with NGTX license. My concern is, what will CP do when the quota get exceeded ?

Regards,

Sagar Manandhar

Re: Threat Emulation Quota Exceed

Maik — Tue, 25 Sep 2018 08:57:42 GMT

Hey,

As far as I know the emulation stops once you exceed the quota.

You can verify your quota ...

=> within the Threat Emulation tab of the gateway overview within SmartConsole

=> via the Threat Emulation command line (TECLI): "tecli show cloud quota"

=> within the Check Point UserCenter

The quota exists to save yourself and the Check Point Cloud, so that if you should be under attack, that you do not "waste" all of your emulations in a short time (which is unusual for normal use cases).

There is also the sizing tool available which lets you see how many emulations would be required for your environment.

More details regarding this can be picked up at SK93598.

Re: Threat Emulation Quota Exceed

Sagar_Manandhar — Tue, 25 Sep 2018 15:59:05 GMT

Even though we get the message that the quota has been exceed we can see the log of file being emulated . Is this the normal behavior and the number of file also increase exceeding the quota (eg: 26000 out of 25000 has been emulated) when seen in smart view monitor.

Re: Threat Emulation Quota Exceed

PhoneBoy — Wed, 26 Sep 2018 01:59:46 GMT

I believe at a certain percentage above your licensed quota, it will stop emulating.

Offhand, I don't recall what the "hard" limit is.

If you see this error frequently, it may be time to have a chat with your local office, though.

Re: Threat Emulation Quota Exceed

Hugo_vd_Kooij — Thu, 27 Sep 2018 10:58:38 GMT

Or carefully considere if everything you emulate now has to be emulated.

Having said that we still have a hard time getting the Windows Updates from being emulated.

Re: Threat Emulation Quota Exceed

Enrique_Mejia — Tue, 19 Mar 2019 23:20:27 GMT

Hello, if the emulation stops. what happen with the mails: CP dropped it, CP allow it without inspection, CP enqueued it and then release?

Re: Threat Emulation Quota Exceed

PhoneBoy — Wed, 20 Mar 2019 00:10:35 GMT

Emulation always "stops" once we determine a file is malicious or not 😁

But I assume you mean if, for instance, we are unable to start emulation due to a system error or an invalid license. Then this setting applies.