Showing results for 
Search instead for 
Did you mean: 
Create a Post
yudha_spt inside SandBlast Network Friday
views 199 1

Asymmetric Routing causing network slow and MTA issue

Hi CheckMates,Condition-based on topology (Single TE1000X, with 4-Port Bypass Interface & 1 LACP MTA port), please refer to below images :1. All 3 switches are in L3 mode with OSPF equal cost, meaning traffic will be asymmetric. Cannot using link bonding.2. Position of Anti Spam in DMZ, and mail server in DC.I have 2 problems:1. Regarding condition 1 above, when we put TE as bridging we found 3 (Three) log that we suspect causing network slow.- TCP packet out of state First packet isn't Sync- TCP segment out of maximum allowed sequenced. Packet dropped.- ICMP reply does not match a previous request2. Traffic from anti-spam to mail server already inspected by bridged interfaces instead of MTA.Action :1. I already disabled TCP packet out of state First packet isn't Sync on Global Properties and expert mode. Log already not show anymore after that.2. I already allow TCP segment out of maximum allowed sequenced on inspection setting. But log still shows these messages.3. We also already disabled ICMP reply does not match a previous request on Global Setting and expert mode but log still shows these messages too.Could anybody please give me suggestion for :1. How to deploy this TE with bridge mode with this condition?2. How to bypass SMTP traffic from anti-spam to mail server on bridged mode because when there is double-checking Threat Emulation traffic will be drop. Or any best practice for this condition?Thank you CheckMates.
inside SandBlast Network a week ago
views 843 2

Advanced Threat Prevention RFP Template and testplan

Hi as requested by many customer attached please find an Advanced Threat Prevention RFP Template and testplan the latest document can be found @ Advanced threat prevention requirements
inside SandBlast Network 2 weeks ago
views 8948 3 35

Understanding Threat Emulation logs

In a TE log you can find additional important information how a file was processed:In the example above "trusted source" means that this file was bypassed by the global whitelist hence it was not emulated.Different values explained:ValueCommenttrusted sourcefile bypassed emulation due to Check Point maintained and automatically updated TE whitelistemulatorfile was locally emulated on a SandBlast Appliancecloud emulationfile was sent to cloud emulationremote emulationfile was sent to a remote SandBlast Appliance for emulation (this log is usually issued by a gateway connected to a SandBlast appliance)static analysisfile was pre-filtered by static analysis and was not emulatedlocal cachefile´s SHA1 was already found in cache (# tecli cache dump all) and was not emulated; action is based on the cached verdictarchivehandled file was an archiveloggerYou get "logger" for a "malicious" file as verdict decider when the file was not successfully emulated but other advisories already convitced the file as maliciousfileWhen trying to emulate the file the actual file size was 0In depth info of e.g. static analyis, cache handling etc can be found in the amazing ATRG: Threat Emulation SK:ATRG: Threat Emulation With this knowledge you can easily query all files that e.g. were really sent to cloud for emulation:With SmartLogs Timeline results you can even quickly check how file amount was handled over a certain timeframe.This is also helpful for investigating performance/throuput issues.
inside SandBlast Network 2 weeks ago
views 442 2

SandBlast Now TechTalk Video and Slides

Below is an excerpt from our TechTalk with @Nir_Naaman on Threat Hunting with Sandblast Now. Available to CheckMates members: Full Video Slides Q&A will be added as a comment to the post. (view in My Videos)  
inside SandBlast Network 3 weeks ago
views 651 5 2

How do I verify Threat Emulation is working?

We offer a test you can access from behind your Security Gateway where Threat Emulation is enabled to ensure it is working: Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs. Related: Anti-Virus Test -- Downloads the standard EICAR AV test file Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs.
Chinmaya_Naik inside SandBlast Network 3 weeks ago
views 267 7

Threat Prevention policy configuration when HTTP emulation on Private Cloud Appliance

 Hi Team,Pls help me for the configuration.As per the Diagram, we have Gateway with TE Appliance.So basically we are using TE appliance only for emulation, not for extraction, ThreatExtraction happening on Gateway.So for any file we are download from the Internet then first come to the gateway then gateway sends that file to TE for emulation then TE gives the verdict to Gateway then gateway sends the file to the end-user base on the policy. Correct me I am wrong.I need a clear idea about configuration and working.Is this required to set Threat Prevention policy  as Detect mode in TE Policy Package 2 ?If I enable Threat Extraction on TE policy package 2 then?@Chinmaya_Naik   
FedericoMeiners inside SandBlast Network 3 weeks ago
views 202 1

ICAP limitations with ForcePoint Web Proxy

Hello,I wanted to share with you some lessons learned by integrating ForcePoint Web Proxy and Sandblast via ICAP.We have two TE appliances, integration went well and smooth following the guides in Check Point and some reading of the ICAP RFC, fun part was that we were only emulating uploaded files and no download. (ie: When we uploaded an attachment we could see it being emulated, but when we downloaded any file nothing).We performed some PCAPs on Download and Upload traffic and we could only see REQMOD and 204 unmodified messages being sent, nevertheless with upload traffic we could see even the fileAfter escalating with both vendors, ForcePoint confirmed to us that they only supported uploads via ICAP since they only use it for DLP.Hope it is useful if you are planning a similar integration.Regards,Federico
inside SandBlast Network 3 weeks ago
views 7591 19 57

ICAP Server on Sandblast Appliance (TEX)

ICAP ServerThe official ICAP Server SK mentions requirements, release notes and general information regarding the new ICAP server functionality. Check Point support for Internet Content Adaptation Protocol (ICAP) server ICAP Server is included since JHF 272. Start:                       # icap_server startStop:                       # icap_server stopReconfiguration:       # icap_server reconf  Note: ICAP does not choose emulation images based on any of your TP profiles; so there is no need to configure a TP policy for ICAP but you need one to get emulation images on your SandBlast applianceGUI configuration will be added to R80.20 (currently in controlled EA) Choosing to emulate on all images will result in an attempt to emulate the files on all known images, even if some of them aren’t available. “Recommended Images” means two images (Win7/Office2013, WinXP/Office2003-7)  ConfigurationConfiguration files FilenameLocationPurposec-icap.conf$FWDIR/c-icap/etc/ICAP Server process configuration filee.g. for changing ICAP server portc-icap.magic$FWDIR/c-icap/etc/Filetypes supported by ICAPvirus_scan.conf$FWDIR/c-icap/etc/e.g. for adding filetypes from c-icap.magic, maximum file sizelibsb_mod.conf$FWDIR/c-icap/etc/e.g. for adding filetypes from$FWDIR/c-icap/scripts/Script used to send ICAP received files to TE APIBlock message$FWDIR/c-icap/share/c_icap/templates/virus_scan/en -rwxr-x--- 1 admin bin  392 Mar 30 09:02 VIRUS_FOUNDBlock messages displayed when malware is found. If you change them don´t forget to run ICAP daemon reconf command VIRUS_FOUND is used as template for a block message; this message can be localized Configure emulation images All or recommended images Choose emulation on all images or only on recommended images: Open for editing: $FWDIR/c-icap/etc/libsb_mod.confChange the field sb_mod.AllImages to off (for recommended) or on (for all) Configure specific emulation images              Not officially supported but there is a way of selecting only specific images to emulate on: Edit $FWDIR/c-icap/etc/libsb_mod.confChange the field AllImages to on Edit $FWDIR/c-icap/scripts/ Add "#" in front of images you do not want to emulate on: image_to_name = {   #  'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',   # '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',   #  '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',} te_images = [   #  {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},  #  {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},  #  {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},] Adding Windows 10 image for ICAP emulation Even though you activate the Win10 image in the GUI it will not be used by the ICAP emulation because the images for image are solely selected based on a configuration file. To add the Win10 image follow this procedure: Edit $FWDIR/c-icap/etc/libsb_mod.confChange the field AllImages to  on  Edit $FWDIR/c-icap/scripts/ and add the following yellow lines: image_to_name = {    'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',    '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',    '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',    '10B4A9C6-E414-425C-AE8B-FE4DD7B25244': 'Win10 64b,Office 2016, Adobe DC'} te_images = [    {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},    {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},    {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},    {'id': '10B4A9C6-E414-425C-AE8B-FE4DD7B25244', 'revision': 1}]Attaching an ICAP Client Configure the ICAP client to communicate with the ICAP server’s “sandblast” service.             For example: icap://<ip address>:1344/sandblast  LoggingGeneral logging Logging (besides benign/malicious findings) is currently limited to the following log files – so no ICAP daemon logs in the GUI/SmartLog: $FWDIR/log/c-icap/server.log $FWDIR/log/c-icap/access.log To extend the by default limited access log follow these steps:  vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log” Add this line before the above finding:LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'" Change the AccessLog line to:AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat So the section in c-icap.conf should now look like this: LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormatEnable logging of benign files Enable/Disable logs on benign files: Open for editing: $FWDIR/c-icap/etc/libsb_mod.confChange the field sb_mod.LogBenign to on Debug logging To enable debug logging:  Open for editing: $FWDIR/c-icap/etc/c-icap.confChange DebugLevel value to: 7 Restart the c-icap service.  Note ! Enabling debug logs can affect performance.   ICAP daemon troubleshootingStart manually and get errors on startup To get ICAP server daemon error messages on the terminal when starting launch daemon with:    # $FWDIR/c-icap/bin/c-icap -N -D -d 10 -f $FWDIR/c-icap/etc/c-icap.conf Verify ICAP daemon is running [Expert@sandblast]# netstat -na | grep 1344 Result should show:tcp        0      0      *                   LISTEN [Expert@sandblast]# ps ax | grep c-icap Result should show:16443 ?        Ss     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf16448 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf16453 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf16460 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf19319 pts/2    S+     0:00 grep c-icap  ICAP Server response codes      {100, "Continue"},           /*Continue after ICAP Preview */     {200, "OK"},     {204, "Unmodified"},         /*No modifications needed */     {206, "Partial Content"},    /*Partial content modification*/     {400, "Bad request"},        /*Bad request */     {403, "Forbidden"},     {404, "Service not found"},  /*ICAP Service not found */     {405, "Not allowed"},        /*Method not allowed for service (e.g., RESPMOD requested For service that supports only REQMOD). */     {408, "Request timeout"},    /*Request timeout.  ICAP server gave up waiting for a Request from an ICAP client */     {500, "Server error"},       /*Server error.  Error on the ICAP server, such as "out of disk ICAP Performance statisticsSomething I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback: 
Blason_R inside SandBlast Network a month ago
views 192 6

TE appliance VM's

Hello  I would like to find total number of VM's in TE appliance like 28,56 as per device. Is there any way to find?plus to find Emulation quota on local TE appliance.Thanks in advance.
GGiorgakis inside SandBlast Network 2019-09-10
views 153 2

Threat emulation - Email content

Is there any possibility for TE to search for characters/words/content of the email subject and body?If yes, how we can implement the requested configuration in TE R80.20.?
Shahar_Grober inside SandBlast Network 2019-09-06
views 362 6

MTA AV Exceptions

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?
Alessandro_Marr inside SandBlast Network 2019-08-30
views 2561 8 3

ICAP client on R80.20 and 3rd DLP Server Symantec

Hello  all, anyone could share a configuration example about using R80.20 as a client ICAP for a Web Prevent Symantec DLP Server?when I Trying the gateway doesn´t understand a message to block came from DLP server.Thanks. Regards. 
Eric_Lindsey1 inside SandBlast Network 2019-08-25
views 199 2

MTA email data missing from logging

We are using our checkpoint appliance as an MTA. External email is directed to checkpoint and then to our internal email servers. We are also threat emulating attachments. If an email comes into the system and passes through checkpoint with no attachment we do not see any of the email data in the smartlog. If the email has an attachment and threat emulation emulates the file we see the subject, sender, receipient in smartlog. Is there any reason the normal email just passing through the appliance does not show in smartlog?
inside SandBlast Network 2019-08-12
views 137

Demonstration of Threat Prevention API on a local SandBlast / Threat Emulation Appliance

I have set up a lab to demonstrate the use of the API to pass files to an on-premise SandBlast Threat Emulation Appliance for scanning for zero-day threats. This allows organistations to have almost any part of their infrastructure refer files to SandBlast. We have seen several use cases, but the most common is a web infrastructure that accepts files from external users and passes them into a workflow system in the organistation's infrastructure. Customer wants to open a new account, and must provide proof of ID or other supporting document Customer has opened an insurance claim and must provide evidence of damage These files can be accepted by the web appication server from the customer, then checked for threats before passing on to the organistation's internal workflow system. The web infrastructure will receive a verdict from Check Point SandBlast and can then decide what to do, depending on the organisation's needs. The demonstration is created in a lab environment, which is documented in the video and the attached pdf file. The script used in the lab was created by Thomas Werner, and is available and documented here: Video of the demo with walk-through and explanation:   (view in My Videos)
Baasanjargal_Ts inside SandBlast Network 2019-08-12
views 88 1

User is using a lot of CPU issue

Hello,CP5400 appliance's CPU usage is about 100 % percent. By the picture, User is using cpu more than 90 %, I don't understand why is user spending too much CPU,