cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Threat Prevention did not prevent first time e-mail with mailware file. Bridge GW+TE100X

Hello there! I have the situation here and need your advise.
We assume that CheckPoint does not use “Gradual hold” 1 byte delay of the SMTP traffic for some reason until the end of the Threat Emulation in Sandblast.

TP.png

The attached screenshot shows that the event was recorded in the CheckPoint Gateway (cpgw) logs before the emulation ended in CheckPoint Threat Emulation (cpsdblst).
Did the gateway not wait for the emulation to end, because threats were detected at the very first stages of emulation or the event was recorded due to expiration of the stream hold time?

As you can see it is detect event, for critical severity it isnot good i thnik. 

CheckPoint inclusion scheme: Internet – Postfix (MTA) - Bridge CheckPoint Gateway R77.30 + Threat Emulation appliance (TE100X) - Lotus (mail server)
Postfix sends SMTP via Bridge CheckPoint to Lotus with condition = in one TCP session only one SMTP email.
We use bridge mode because our costumer doesn't want to use MTA in CheckPoint or make any changes to network configuration.

The main problem is the costumer want to see emails, so we can't just block.

And use that settings, mb we must change something?

TP_https_engine.pngTP_profile.pngTP_profile_adv.png

 

 

 

3 Replies
Admin
Admin

Re: Threat Prevention did not prevent first time e-mail with mailware file. Bridge GW+TE100X

With SMTP we generally recommend using MTA mode.
That said, this sounds like a bug the TAC should investigate.

Re: Threat Prevention did not prevent first time e-mail with mailware file. Bridge GW+TE100X

We can't use MTA in that deployment. The costumer allready has 3rd party MTA.

Re: Threat Prevention did not prevent first time e-mail with mailware file. Bridge GW+TE100X

Thank you for your answer. We are open the support case for this problem and i think this is not a recommendation, but a necessity. There is no possibility to keep smtp traffic in bridge mode without MTA, which tells us that it is better not to use bridge mode for smtp inspection. Why not explicitly write this in the documentation https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/96332.htm as an unsupported solution. It turns out that emulation for first time traffic is useless, as it is not able to prevent infected files via smtp... Now we are waiting R&D answer.