topic Re: What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction? in API / CLI Discussion

What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

Daniel_Ndiba — Fri, 22 Sep 2017 13:56:49 GMT

What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

Re: What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

Danny — Mon, 25 Sep 2017 14:18:30 GMT

Threat Extraction Datasheet & Technology

Mail Transfer Agent (MTA) - FAQ

MTA Debugging and Performance Troubleshooting Toolkit

Closing the Malware Gap: The Rise of Threat Extraction

SandBlast Threat Extraction removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow. It is a new technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more - see list below).

This is a new approach for Threat Prevention: instead of determining whether a file is malicious or not, Threat Extraction cleans the file before it enters the organization. Threat Extraction prevents both known and unknown threats before they arrive to the organization, thus providing better protection against zero-day threats.

Supported file formats

Threat Extraction supports the following primary file formats. Many other formats (such as Windows Metafile) that are commonly associated with these primary formats are also supported.

Format	Extensions
Adobe FDF	fdf
Adobe PDF (all versions)	pdf
Microsoft Docfile	Microsoft Visio, Microsoft Project, etc.
Microsoft Excel 2007 and above	xlsx, xlsb, xlsm, xltx, xltm, xlam
Microsoft Excel 2007 Binary	xlsb
Microsoft Excel 97 - 2003	xls
Microsoft PowerPoint 2007 and above	pptx, pptm, potx, potm, ppam, ppsx, ppsm
Microsoft PowerPoint 97 - 2003	ppt, pps, pot, ppa
Microsoft Word 2007 and above	docx, docm, dotx, dotm
Microsoft Word 97 - 2003	doc, dot

Impact

The performance impact on your gateways will hardly be noticable when simply extracting potentially malicious file contents. As always with automated file content modifications this can result and unreadable characters or file names causing to end users to request having the original email attachment released to them.

It's a different story when converting all files into PDF. Of course this option will provide your end users with the most secure and trustworthy email attachments. However, PDFs are not really editable and many end users will complain that they cannot fill out an Excel sheet as meant by the sender of the email and sometimes the PDF conversions renders the resulting file almost unreadable. You need to educate your end users to be aware of these symptoms and provide them with a link within the email to that they can retrieve the original email attachment themself.

When Threat Extraction converts a PDF file, the output PDF file has many layers that are rendered slowly or cover information in the document

Files are renamed by Threat Emulation and Threat Extraction with specific special characters in the file name

Re: What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

Gregory_Welch — Mon, 25 Sep 2017 17:23:05 GMT

I don't have a perfect reply for you and am curious if other people are seeing performance issues with MTA activated on a Gateway. Three months ago I activated MTA/Threat Extraction, however I was able to dedicate hardware to use exclusively for MTA/TX because I was unsure of the performance hit on our main gateway. In practice, MTA is great and has really cleaned up some email problems for us.

Greg

Re: What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

Daniel_Ndiba — Wed, 27 Sep 2017 14:34:27 GMT

Thank you for the response. This is much appreciated.

We are planning to enable Threat Extraction on our Gateways. We are running two 4800s on R77.30 and a smart1-205 Management.

I hope the specifications of my current devices will be able to support Threat Extraction without a diverse impact

Re: What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

Daniel_Ndiba — Wed, 27 Sep 2017 14:37:13 GMT

I have two gateways running in cluster mode, the hardware you have dedicated for MTA/TX is one of your gateways right, or how is the deployment?

Re: What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

Timothy_Hall — Fri, 10 Nov 2017 14:14:37 GMT

The MTA function is implemented in process space on the gateway, so just make sure the gateway cores are not extremely busy in kernel space (sy/si/hi) to avoid the MTA processes having to wait a long time for the CPU. Even if there are delays caused by this, the users don't tend to notice their email getting delayed for a few seconds.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.