Slides available below the Q&A, which is below the session video.
Where are the more detailed videos?
In Check Point for Beginners: Videos: Configuring Access Control and Threat Prevention
Do other third parties also leverage Threatcloud AI?
Yes! We’re working with several OEMs, cybersecurity companies, MSSPs, and end-customers who are using our API for a variety of use cases—including prevention, automation (within SIEM/SOAR), and response.
How DNS Queries check is performend , at Endpoint or also at gateway level?
It can be done on both.
When a new Check Point customer is activated, despite of which service its contracting from Check Point, does it brand is added to the Brand Spoofing Database?
The Brand Spoofing Database is managed by our AI modal system and is updated based on real-world traffic and intelligence-driven criteria.
How does HTTP Inspection work on QUIC connections?
We support QUIC with HTTPS Inspection as of R82.
What effect does enabling addition Threat Prevention blades impact on performance?
Most Threat Prevention blades share the same infrastructure as what is used for Application Control and URL Filtering. The performance impact of additional blades is minimal.
HTTPS Inspection has its own unique impact as it requires maintaining two connections (from client to gateway, and from gateway to server).
For outbound TLS/HTTP inspection, a DNS lookup is performed?
Yes, the HTTPS inspection includes DNS verifications - that's needed to verify the Subject Name field content in the certificate. Since R80.30 a lot of improvements have been made. The latest improvements in R82 allow to detect TLS handshake failures that may result of DNS lookup failures. These client and server side failure detections reduced CPU cycles. In addtion learning mode allows to create a list of resources where we can't apply inspection and the TLS parser has been improved to save CPU cycles as well. Then we have CPU bypass under load in case there is too much TLS traffic, then some traffic will be bypassed until the CPU load get lower and the gateway takes again TLS connections for inspection.
Why Internet object over ExternalZone?
You can also use ExternalZone. In fact, this is necessary when Application Control is not used.
Had customer ask me last week if all this could technically work if they don't have HTTPS Inspection enabled? I logically assume it can, but it would be super basic...thoughts?
Threat Prevention is less effective without HTTPS Inspection, but it still provides some benefits.
It's recommended to use a set of policies with network and application layers or it is better to use only one layer with in-line layers?
There are reasons for both approaches, and sometimes you will mix Ordered and Inline Layers. Where an inline policy makes the most sense is for outbound Internet access.
Where can i get more info on the domains_tool?
The product documentation and sk161632.
Do Check Point has different internal and publicly available URL categorization database?
URL Filtering and Threat Prevention blades use different databases. It is important to review the full log card to see which blade is blocking the communication so the right action can be done to remediate the situation. If the blade is URL Filtering, it is a miscategorization. If the blade is one of the Threat Prevention blades (e.g. Anti-Bot, Anti-Virus), it is a false positive.
On the Threat Extraction attached files inspection, is there a SLA or even SLO in terms of analysis speed in terms of Number of Bytes analysed per second including the interval to have the file released for the customer?
On average, Threat Extraction performs inspections very quickly and is designed to avoid disrupting normal workflows. The specific SLO can vary depending on the file type, presence of macros, embedded functions, as well as the machine’s CPU.
CDR usually destroys files, is CP is safe to use?
You have two options:
- Change format to PDF
- Clean the file from active objects, but leave the file as the original fomat.
In addition, you can get the original file assuming it goes through the protection engines, it is done via browser extension.
What about network protocols required in certain web page like SSL or TLS?
This is an example where you can use an inline layer.
The top-level rule permits access to the specific web page (by FDQN or IP) and then, in the inline layer, allow only, e.g TLS 1.3 and block anything else.
Can you run Windows 11 emulation on on-premise Threat Prevention appliances?
Yes, we are able to run Win11 on TE2000XN appliance, please see sk180619 for more information
What's the roadmap for Private ThreadCloud?
Private ThreatCloud is out-of-scope for this session. However, please reach out to your local Check Point office.
How to calculate impact of turning DNS security in hold mode?
You control this in malware_config as described in sk92224. Note that using DNS in hold mode may cause delays up until the DNS cache of hosts is populated.
We have so many customer , that create only one Threat Prevention Rule: source:any/destination:any/scope:any, is it recommended ?
Any to any Threat Prevention means you apply TP without helping the engines to understand the expected flow of communication. I don't recommend this as it adds load to the gateway. If you define the internal networks as protected scope, you protect the outbound traffic from the internal networks with lowest possible resources
Is there any open database from Check Point side, to configure the network/IOC feeds to block malicious IP and domains.
ThreatCloud AI is primarily designed for detection and investigation purposes. But, stay tuned - we’re working on some exciting updates, that will introduce new feeds!
Do you suggest to use Autonomous Threat Prevention on environments that have Maestro with VSX ?
In these environments, it's best to use the recommend custom TP policy - the autonomous is more for small to medium perimeter gateways.
Can Check Point firewalls use any open or public IOC feeds from Check Point itself to block malicious indicators?
You can leverage your own feeds with ioc_feeds and Network Feed objects.
Is there any plan to implement something similar to Network Discovery policy in Cisco Firepower infra (listening thee network, collecting informations about systems in VLANs, create proposal to disable/enable specific IPS protections on that VLAN )?
We do have plans to release a new feature that monitors network behavior and provide actionable insights for IPS protections.
I am wondering if AI will be enabled for on-prem solutions.
It is already possible to connect your on-premise management to Infinity Portal to leverage various AI-enabled offerings. The functionality will be determined by the amount of data you choose to share or allow access to.
