cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Blason_R
Blason_R inside SandBlast Network 9 hours ago
views 99 6

TE appliance VM's

Hello  I would like to find total number of VM's in TE appliance like 28,56 as per device. Is there any way to find?plus to find Emulation quota on local TE appliance.Thanks in advance.
GGiorgakis
GGiorgakis inside SandBlast Network a week ago
views 111 2

Threat emulation - Email content

Is there any possibility for TE to search for characters/words/content of the email subject and body?If yes, how we can implement the requested configuration in TE R80.20.?
Shahar_Grober
Shahar_Grober inside SandBlast Network 2 weeks ago
views 284 6

MTA AV Exceptions

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?
Alessandro_Marr
Alessandro_Marr inside SandBlast Network 3 weeks ago
views 2384 8 3

ICAP client on R80.20 and 3rd DLP Server Symantec

Hello  all, anyone could share a configuration example about using R80.20 as a client ICAP for a Web Prevent Symantec DLP Server?when I Trying the gateway doesn´t understand a message to block came from DLP server.Thanks. Regards. 
Eric_Lindsey1
Eric_Lindsey1 inside SandBlast Network 4 weeks ago
views 153 2

MTA email data missing from logging

We are using our checkpoint appliance as an MTA. External email is directed to checkpoint and then to our internal email servers. We are also threat emulating attachments. If an email comes into the system and passes through checkpoint with no attachment we do not see any of the email data in the smartlog. If the email has an attachment and threat emulation emulates the file we see the subject, sender, receipient in smartlog. Is there any reason the normal email just passing through the appliance does not show in smartlog?
Andy_Nicholson
inside SandBlast Network 2019-08-12
views 104
Employee

Demonstration of Threat Prevention API on a local SandBlast / Threat Emulation Appliance

I have set up a lab to demonstrate the use of the API to pass files to an on-premise SandBlast Threat Emulation Appliance for scanning for zero-day threats. This allows organistations to have almost any part of their infrastructure refer files to SandBlast. We have seen several use cases, but the most common is a web infrastructure that accepts files from external users and passes them into a workflow system in the organistation's infrastructure. Customer wants to open a new account, and must provide proof of ID or other supporting document Customer has opened an insurance claim and must provide evidence of damage These files can be accepted by the web appication server from the customer, then checked for threats before passing on to the organistation's internal workflow system. The web infrastructure will receive a verdict from Check Point SandBlast and can then decide what to do, depending on the organisation's needs. The demonstration is created in a lab environment, which is documented in the video and the attached pdf file. The script used in the lab was created by Thomas Werner, and is available and documented here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Using-SandBlast-API-from-commandline/m-p/40312 Video of the demo with walk-through and explanation:   (view in My Videos)
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Network 2019-08-12
views 64 1

User is using a lot of CPU issue

Hello,CP5400 appliance's CPU usage is about 100 % percent. By the picture, User is using cpu more than 90 %, I don't understand why is user spending too much CPU, 
Nick_Doropoulos
Nick_Doropoulos inside SandBlast Network 2019-08-04
views 521 1

Threat emulation cache same thing as database?

Just one question:Is the threat emulation cache and the database that the TE-enabled GW compares an incoming file's hash against the one and the same thing?Many thanks in advance.
samtech4u
samtech4u inside SandBlast Network 2019-08-02
views 366 1

Threat Prevent Malware Hash Value

Hi,may I know how to get the threat hash value from checkpoint R77.30 which is detected by Threat prevention.logs only show the .eml file packet capture file?
Dan_Roddy
Dan_Roddy inside SandBlast Network 2019-08-01
views 407 3

Threat Extraction results benign and file is empty.

We have a problem with downloading files (pdf, xls and csv) that have been evaluated for threats by TE cloud, results are benign and the files saved are empty - zero bytes.  Trying to get my case worked on by TAC but they say no one is available.  What has consumed all support?
Peter_Baumann
Peter_Baumann inside SandBlast Network 2019-07-31
views 965 2

MTA NDR with "-oi" as sender

Hi all,At a customer we have setup the following configuration according to this:ATRG: Mail Transfer Agent (MTA)https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109699Since we check the logs for error messages we sometimes see the following when the MTA is sending "None delivery messages" (NDR):Jul 22 13:47:04 2019 fwvsx01 postfix/pickup[30252]: 45sfwS1bk8z5x1D: uid=0 from= Jul 22 13:47:04 2019 fwvsx01 postfix/cleanup[13678]: 45sfwS1bk8z5x1D: message-id=<45sfwS1bk8z5x1D@fwvsx01.domain.com> Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: from=, size=283, nrcpt=2 (queue active) Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax) Jul 22 13:47:04 2019 fwvsx01 postfix/smtp[13664]: 45sfwS1bk8z5x1D: to=, relay=1.3.2.3[1.3.2.3]:25, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 389501CC2D) Jul 22 13:47:04 2019 fwvsx01 postfix/bounce[4398]: 45sfwS1bk8z5x1D: sender non-delivery notification: 45sfwS1kG7z5x1F Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: removedThe relevant part of the log above is the following:Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax)I figured out that the parameter "-oi" is used in the postfix sendmail binary:http://www.postfix.org/sendmail.1.html -oi When reading a message from standard input, don't treat a line with only a . character as the end of input.So it seems for me that some script is running wrong. Does someone of you have also seen this?Is there any fix for this problem?Thanks,Peter
GGiorgakis
GGiorgakis inside SandBlast Network 2019-07-25
views 624 1

Thread Emulation block email as a malicious but we need to release it (false positive)?

Is there any way to release an email which was blocked by TE?
Leonardo_Ferrei
Leonardo_Ferrei inside SandBlast Network 2019-07-19
views 1695 7 3

Problem to download large files when Sandblast Appliance is set as ICAP Server

Hello Guys,We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.Did anyone get the same problem?SANDBLAST APPLIANCE = R80.20 Jumbo Take 47MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)ALL CONFIGURATION SET TO FAIL OPENTHE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.Best regards,Leonardo Santos
GGiorgakis
GGiorgakis inside SandBlast Network 2019-07-11
views 252 1

Migrating R77.30 standalone to new management server distributed R80.20

What is the best practice to migrate an R77.30 standalone into a distributed R80.20 enviroment?
Robert_Mueller
Robert_Mueller inside SandBlast Network 2019-07-09
views 9999 5 12

Block specific File extention

Hi,Is there a way to block specific file extentions? I my case iqy and slk files. I know that they are supported in the newest Engine but how can I block them? I can't specify them in the SmartConsole and I've tried to block them with the "prohibited file types" (tecli command) but it wont work...I wan to block all files with that extentions when they arrive via Mail...BrRobert