topic Re: Activating NGTX (Cloud SandBox) on your gateway in Firewall and Security Management

Activating NGTX (Cloud SandBox) on your gateway

Sagy_Kratu — Tue, 15 Aug 2017 13:35:56 GMT

Hi all

I would like to share with you the latest document we created.

The Goal of this document is to focus on enabling Threat Emulation in organizations that purchased the NGTX
package, but have not activated the service.
In this document we will recommend activating the service using Background mode in detect mode. This will provide
higher level of visibility, little to no change to the environment and won’t risk or effect critical business processes.
Traditional Signature based solutions such as: Anti-Virus and IPS focus only on known Malware and known
vulnerabilities. With hundreds of new forms of malware hitting every hour, how do you protect against what you
don’t know?
Check point SandBlast Zero-day solution employs Threat Emulation (SandBox) capabilities to elevate network
security to the next level with evasion resistant malware detection, and comprehensive protection from the most
dangerous attacks.
Threat Emulation uses Checkpoint’s proprietary and unique CPU-level inspection, stopping even the most dangerous
attacks before malware has an opportunity to deploy and evade detection. SandBlast Threat Emulation uses OSlevel
inspection to examine a broad range of file types, including executables and data files.
With its unique inspection capabilities, SandBlast Threat Emulation delivers the best possible catch rate for threats,
and is resistant to attackers’ evasion techniques.
The NGTX package adds Check Point’s SandBlast Zero-Day Protection capabilities to your existing check point
gateway. Organizations will benefit from this innovative zero-day threat sandboxing capability, within the SandBlast
solution.

Happy activation!!

Re: Activating NGTX (Cloud SandBox) on your gateway

Norbert_Bohusch — Thu, 07 Sep 2017 14:34:03 GMT

I see a big issue with the way the TP profile/policy should be configured in this guide.

A customer already using ABOT/AV in prevent mode would disable his other rules by inserting a rule with "any" as protection-scope above his normal rules!

Therefore I would let the profile settings "as is" in regards to detect/prevent settings and only configure background mode there and change the "activation method" on gw/cluster-object to detect only instead of "as defined in profile".

In R80.10 it would be possible to have one TP-policy for AV/ABOT only and one for TE only and there it would be possible to follow your advices, but in R77.30 this is not possible!

Re: Activating NGTX (Cloud SandBox) on your gateway

Sagy_Kratu — Mon, 18 Sep 2017 05:51:10 GMT

Thanks for the feedback

i have made some correction to the document

it is important to state that this document focuses on how to enable the Threat Emulation blade in background and detect mode, it does not take under consideration the other blades.

With that said Threat Emulation can and will work with the other Threat Prevention blades with he right rule set in place.

Re: Activating NGTX (Cloud SandBox) on your gateway

Norbert_Bohusch — Mon, 18 Sep 2017 07:12:04 GMT

I understand the purpose of this document, but as it is thought for existing customers upgrading from NGTP to NGTX, it might cause more harm than help. Customers doing this without knowledge with this document might run into the issue I described and afterwards stay with NGTP and also don't want to move on to maybe other added functionality later on!

So there should be at least a big warning that existing configuration has to be considered or even better a guide how to move from existing NGTP to NGTX without harmin existing configuration.

Re: Activating NGTX (Cloud SandBox) on your gateway

Sagy_Kratu — Mon, 18 Sep 2017 07:44:07 GMT

The document states the caveats

Which explains what it means and the function of the document

sagy