Showing results for 
Search instead for 
Did you mean: 
Create a Post
SandBlast Network

This space is where you can discuss SandBlast Advanced Network Threat Prevention for Security Gateways.

Gregory_Link inside SandBlast Network 2 hours ago
views 22 1

Looking for clarification on Threat Emulation Custom Password Configs

We are looking to create a custom password list using the SK below based on intel and active threats we've seen.  What I'm having trouble understanding though is why we need to add phrases as well given that threat emulation already knows what inbound emails to look at based on the extensions you have defined.  What value do we get out of this?
inside SandBlast Network 2 weeks ago
views 271 3

Files extensions for threat emulation missing

Hi,   i am working on a case wherein we are demonstrating the capabilities of our Threat Emulation. We are running R80.10 Gateway being managed by R80.20 Management Appliance. Trial NGTX License has been applied on the Gateway and for some reason I am only seeing 7 file extension being supported for Threat Emulation.   I have verified that license is correctly applied and contracts have been successfully attached. Both the Management Server and Gateway are connected to Internet and are being regularly updated. Any updates on how to proceed will be highly appreciated. NOTE: It is a live network running for the last 1 year with NGTP license. Regards Jaspreet Singh  
Arth inside SandBlast Network 2019-10-26
views 196 1

Automatically sync AD with SmartEndpoint R80.20

Hello everyone,I currently have a problem with a customer where the Active Directory does not automatically sync with their SmartEndpoint R80.20. Users created after the setup do not appear in the Users and Computers tab.I found the sk102656 that says that the issue was fixed with the R80.10 update but does not seem to work for them.So before going too far, I'd like to know :- If I go through the "Express Setup Wizard" again by linking the AD to the SmartEndpoint, it will work without any issue (OU or account duplication for example).- If I can rollback changes if anything goes wrong ? Thanks for you answers 🙂
yudha_spt inside SandBlast Network 2019-10-11
views 279 1

Asymmetric Routing causing network slow and MTA issue

Hi CheckMates,Condition-based on topology (Single TE1000X, with 4-Port Bypass Interface & 1 LACP MTA port), please refer to below images :1. All 3 switches are in L3 mode with OSPF equal cost, meaning traffic will be asymmetric. Cannot using link bonding.2. Position of Anti Spam in DMZ, and mail server in DC.I have 2 problems:1. Regarding condition 1 above, when we put TE as bridging we found 3 (Three) log that we suspect causing network slow.- TCP packet out of state First packet isn't Sync- TCP segment out of maximum allowed sequenced. Packet dropped.- ICMP reply does not match a previous request2. Traffic from anti-spam to mail server already inspected by bridged interfaces instead of MTA.Action :1. I already disabled TCP packet out of state First packet isn't Sync on Global Properties and expert mode. Log already not show anymore after that.2. I already allow TCP segment out of maximum allowed sequenced on inspection setting. But log still shows these messages.3. We also already disabled ICMP reply does not match a previous request on Global Setting and expert mode but log still shows these messages too.Could anybody please give me suggestion for :1. How to deploy this TE with bridge mode with this condition?2. How to bypass SMTP traffic from anti-spam to mail server on bridged mode because when there is double-checking Threat Emulation traffic will be drop. Or any best practice for this condition?Thank you CheckMates.
inside SandBlast Network 2019-10-09
views 954 2

Advanced Threat Prevention RFP Template and testplan

Hi as requested by many customer attached please find an Advanced Threat Prevention RFP Template and testplan the latest document can be found @ Advanced threat prevention requirements
inside SandBlast Network 2019-10-04
views 9205 3 35

Understanding Threat Emulation logs

In a TE log you can find additional important information how a file was processed:In the example above "trusted source" means that this file was bypassed by the global whitelist hence it was not emulated.Different values explained:ValueCommenttrusted sourcefile bypassed emulation due to Check Point maintained and automatically updated TE whitelistemulatorfile was locally emulated on a SandBlast Appliancecloud emulationfile was sent to cloud emulationremote emulationfile was sent to a remote SandBlast Appliance for emulation (this log is usually issued by a gateway connected to a SandBlast appliance)static analysisfile was pre-filtered by static analysis and was not emulatedlocal cachefile´s SHA1 was already found in cache (# tecli cache dump all) and was not emulated; action is based on the cached verdictarchivehandled file was an archiveloggerYou get "logger" for a "malicious" file as verdict decider when the file was not successfully emulated but other advisories already convitced the file as maliciousfileWhen trying to emulate the file the actual file size was 0In depth info of e.g. static analyis, cache handling etc can be found in the amazing ATRG: Threat Emulation SK:ATRG: Threat Emulation With this knowledge you can easily query all files that e.g. were really sent to cloud for emulation:With SmartLogs Timeline results you can even quickly check how file amount was handled over a certain timeframe.This is also helpful for investigating performance/throuput issues.
inside SandBlast Network 2019-10-02
views 691 2

SandBlast Now TechTalk Video and Slides

Below is an excerpt from our TechTalk with @Nir_Naaman on Threat Hunting with Sandblast Now. Available to CheckMates members: Full Video Slides Q&A will be added as a comment to the post. (view in My Videos)  
inside SandBlast Network 2019-09-27
views 983 5 2

How do I verify Threat Emulation is working?

We offer a test you can access from behind your Security Gateway where Threat Emulation is enabled to ensure it is working: Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs. Related: Anti-Virus Test -- Downloads the standard EICAR AV test file Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs.
Chinmaya_Naik inside SandBlast Network 2019-09-26
views 415 7

Threat Prevention policy configuration when HTTP emulation on Private Cloud Appliance

 Hi Team,Pls help me for the configuration.As per the Diagram, we have Gateway with TE Appliance.So basically we are using TE appliance only for emulation, not for extraction, ThreatExtraction happening on Gateway.So for any file we are download from the Internet then first come to the gateway then gateway sends that file to TE for emulation then TE gives the verdict to Gateway then gateway sends the file to the end-user base on the policy. Correct me I am wrong.I need a clear idea about configuration and working.Is this required to set Threat Prevention policy  as Detect mode in TE Policy Package 2 ?If I enable Threat Extraction on TE policy package 2 then?@Chinmaya_Naik   
FedericoMeiners inside SandBlast Network 2019-09-25
views 282 1

ICAP limitations with ForcePoint Web Proxy

Hello,I wanted to share with you some lessons learned by integrating ForcePoint Web Proxy and Sandblast via ICAP.We have two TE appliances, integration went well and smooth following the guides in Check Point and some reading of the ICAP RFC, fun part was that we were only emulating uploaded files and no download. (ie: When we uploaded an attachment we could see it being emulated, but when we downloaded any file nothing).We performed some PCAPs on Download and Upload traffic and we could only see REQMOD and 204 unmodified messages being sent, nevertheless with upload traffic we could see even the fileAfter escalating with both vendors, ForcePoint confirmed to us that they only supported uploads via ICAP since they only use it for DLP.Hope it is useful if you are planning a similar integration.Regards,Federico
inside SandBlast Network 2019-09-25
views 8174 19 57

ICAP Server on Sandblast Appliance (TEX)

ICAP ServerThe official ICAP Server SK mentions requirements, release notes and general information regarding the new ICAP server functionality. Check Point support for Internet Content Adaptation Protocol (ICAP) server ICAP Server is included since JHF 272. Start:                       # icap_server startStop:                       # icap_server stopReconfiguration:       # icap_server reconf  Note: ICAP does not choose emulation images based on any of your TP profiles; so there is no need to configure a TP policy for ICAP but you need one to get emulation images on your SandBlast applianceGUI configuration will be added to R80.20 (currently in controlled EA) Choosing to emulate on all images will result in an attempt to emulate the files on all known images, even if some of them aren’t available. “Recommended Images” means two images (Win7/Office2013, WinXP/Office2003-7)  ConfigurationConfiguration files FilenameLocationPurposec-icap.conf$FWDIR/c-icap/etc/ICAP Server process configuration filee.g. for changing ICAP server portc-icap.magic$FWDIR/c-icap/etc/Filetypes supported by ICAPvirus_scan.conf$FWDIR/c-icap/etc/e.g. for adding filetypes from c-icap.magic, maximum file sizelibsb_mod.conf$FWDIR/c-icap/etc/e.g. for adding filetypes from$FWDIR/c-icap/scripts/Script used to send ICAP received files to TE APIBlock message$FWDIR/c-icap/share/c_icap/templates/virus_scan/en -rwxr-x--- 1 admin bin  392 Mar 30 09:02 VIRUS_FOUNDBlock messages displayed when malware is found. If you change them don´t forget to run ICAP daemon reconf command VIRUS_FOUND is used as template for a block message; this message can be localized Configure emulation images All or recommended images Choose emulation on all images or only on recommended images: Open for editing: $FWDIR/c-icap/etc/libsb_mod.confChange the field sb_mod.AllImages to off (for recommended) or on (for all) Configure specific emulation images              Not officially supported but there is a way of selecting only specific images to emulate on: Edit $FWDIR/c-icap/etc/libsb_mod.confChange the field AllImages to on Edit $FWDIR/c-icap/scripts/ Add "#" in front of images you do not want to emulate on: image_to_name = {   #  'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',   # '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',   #  '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',} te_images = [   #  {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},  #  {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},  #  {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},] Adding Windows 10 image for ICAP emulation Even though you activate the Win10 image in the GUI it will not be used by the ICAP emulation because the images for image are solely selected based on a configuration file. To add the Win10 image follow this procedure: Edit $FWDIR/c-icap/etc/libsb_mod.confChange the field AllImages to  on  Edit $FWDIR/c-icap/scripts/ and add the following yellow lines: image_to_name = {    'e50e99f3-5963-4573-af9e-e3f4750b55e2': 'WinXP,Office 2003/7,Adobe 9',    '7e6fe36e-889e-4c25-8704-56378f0830df': 'Win7,Office 2003/7,Adobe 9',    '8d188031-1010-4466-828b-0cd13d4303ff': 'Win7,Office 2010,Adobe 9.4',    '5e5de275-a103-4f67-b55b-47532918fa59': 'Win7,Office 2013,Adobe 11',    '3ff3ddae-e7fd-4969-818c-d5f1a2be336d': 'Win7 64b,Office 2013,Adobe 11',    '6c453c9b-20f7-471a-956c-3198a868dc92': 'Win8.1 64b,Office 2013,Adobe 11',    '10B4A9C6-E414-425C-AE8B-FE4DD7B25244': 'Win10 64b,Office 2016, Adobe DC'} te_images = [    {'id': 'e50e99f3-5963-4573-af9e-e3f4750b55e2', 'revision': 1},    {'id': '7e6fe36e-889e-4c25-8704-56378f0830df', 'revision': 1},    {'id': '8d188031-1010-4466-828b-0cd13d4303ff', 'revision': 1},    {'id': '5e5de275-a103-4f67-b55b-47532918fa59', 'revision': 1},    {'id': '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', 'revision': 1},    {'id': '6c453c9b-20f7-471a-956c-3198a868dc92', 'revision': 1},    {'id': '10B4A9C6-E414-425C-AE8B-FE4DD7B25244', 'revision': 1}]Attaching an ICAP Client Configure the ICAP client to communicate with the ICAP server’s “sandblast” service.             For example: icap://<ip address>:1344/sandblast  LoggingGeneral logging Logging (besides benign/malicious findings) is currently limited to the following log files – so no ICAP daemon logs in the GUI/SmartLog: $FWDIR/log/c-icap/server.log $FWDIR/log/c-icap/access.log To extend the by default limited access log follow these steps:  vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log” Add this line before the above finding:LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'" Change the AccessLog line to:AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat So the section in c-icap.conf should now look like this: LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormatEnable logging of benign files Enable/Disable logs on benign files: Open for editing: $FWDIR/c-icap/etc/libsb_mod.confChange the field sb_mod.LogBenign to on Debug logging To enable debug logging:  Open for editing: $FWDIR/c-icap/etc/c-icap.confChange DebugLevel value to: 7 Restart the c-icap service.  Note ! Enabling debug logs can affect performance.   ICAP daemon troubleshootingStart manually and get errors on startup To get ICAP server daemon error messages on the terminal when starting launch daemon with:    # $FWDIR/c-icap/bin/c-icap -N -D -d 10 -f $FWDIR/c-icap/etc/c-icap.conf Verify ICAP daemon is running [Expert@sandblast]# netstat -na | grep 1344 Result should show:tcp        0      0      *                   LISTEN [Expert@sandblast]# ps ax | grep c-icap Result should show:16443 ?        Ss     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf16448 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf16453 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf16460 ?        Sl     0:00 c-icap -N -f /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf19319 pts/2    S+     0:00 grep c-icap  ICAP Server response codes      {100, "Continue"},           /*Continue after ICAP Preview */     {200, "OK"},     {204, "Unmodified"},         /*No modifications needed */     {206, "Partial Content"},    /*Partial content modification*/     {400, "Bad request"},        /*Bad request */     {403, "Forbidden"},     {404, "Service not found"},  /*ICAP Service not found */     {405, "Not allowed"},        /*Method not allowed for service (e.g., RESPMOD requested For service that supports only REQMOD). */     {408, "Request timeout"},    /*Request timeout.  ICAP server gave up waiting for a Request from an ICAP client */     {500, "Server error"},       /*Server error.  Error on the ICAP server, such as "out of disk ICAP Performance statisticsSomething I found on the web regarding c-icap performance statistics - did not have time to verify it by now but maybe someone can do and give feedback: 
Blason_R inside SandBlast Network 2019-09-19
views 310 6

TE appliance VM's

Hello  I would like to find total number of VM's in TE appliance like 28,56 as per device. Is there any way to find?plus to find Emulation quota on local TE appliance.Thanks in advance.
GGiorgakis inside SandBlast Network 2019-09-10
views 207 2

Threat emulation - Email content

Is there any possibility for TE to search for characters/words/content of the email subject and body?If yes, how we can implement the requested configuration in TE R80.20.?
Shahar_Grober inside SandBlast Network 2019-09-06
views 468 6

MTA AV Exceptions

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?
Alessandro_Marr inside SandBlast Network 2019-08-30
views 2820 8 3

ICAP client on R80.20 and 3rd DLP Server Symantec

Hello  all, anyone could share a configuration example about using R80.20 as a client ICAP for a Web Prevent Symantec DLP Server?when I Trying the gateway doesn´t understand a message to block came from DLP server.Thanks. Regards.