This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2025-07-25 01:13 PM

Exceptional Blockages in TP

Hi, Mates

I have an MDS environment in combination with VSX.

In some of my VSX Clusters, I have some VS that have AV/AB/IPS enabled.

I have the need to create a point block on some of the VS, for example for the Malware “Malware.TC.8502EJGJ”. The problem is that it does not allow me to do it when I am standing in the “Security Policies -> My Policy Package -> Threat Prevention -> Exceptions” section.

TP1.jpg

This configuration can only be done by the Global Domain of the MDS?

Can't it be done uniquely in the CMA I need?

I have traffic that is only being “Detected” when the TP profile I have, indicates that it should be “Prevented” but still, the traffic is going through, and I need to block it somehow.

Thanks for your comments.

0 Kudos
13 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-07-25 04:09 PM

Hey bro,

Is that option not present when you are logged into CMA's smart console?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-07-25 04:46 PM
In response to the_rock

Hey.

The option appears when you connect to the CMA, but you cannot configure anything.

The only way, is that you enter the MDS Global Domain, and from there it allows you to create what you need, but then, it only works in MDS environments with VSX?

Can't you just configure this, being “stopped” in the CMA you need?

Not all my CMAs need to have “Global Exceptions” configuration.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-07-25 04:50 PM
In response to Matlu

I see, thats the screenshot you posted. Hm...what if you add new exceptions "package" on the top and not use global one? See if that lets you add a new rule.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-25 04:46 PM

You should be able to create a specific rule in the Threat Prevention policy on the CMA that will basically do the same thing.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-07-25 05:01 PM
In response to PhoneBoy

Hi,
Can I create a rule in Threat Prevention Policy, for a specific malware? For example for "Malware.TC.8502EJGJ" for a single segment of my internal network?
Cheers.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-28 04:40 AM
In response to Matlu

Generally, yes, though not sure on the generic ThreatCloud protections (which this is).

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-07-28 07:06 AM
In response to PhoneBoy

What is the best alternative in scenarios where you need to block multiple domains discovered that have a bad reputation (malicious)?

 

Is it to use the URLF Blade for these cases? Maybe create a ‘Custom/Applications Site’?

 

Our AV/AB profile is ‘ignoring’ the blocking of domains that it should be blocking according to our profile (Traffic is being tagged as ‘Detect’)

 

We want a safe way to generate the blocking of these domains

This can be done only as URLF? Because I don't see the option in AV/AB to block based on Malware type.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-28 12:11 PM
In response to Matlu

You can create a Custom Application/Site object with the relevant domains.
This object can be used in the Threat Prevention policy in addition to the Access Policy.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-07-28 03:53 PM
In response to PhoneBoy

Hi

The ‘Custom/Applications Site’ can be used without activating the URLF blade?

If I put it in an explicit rule in the TP layer, the GW is able to do the filtering if I only have active blades like AV/AB?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-29 05:44 AM
In response to Matlu

Custom Application/Site Objects require either App Control or URL Filtering to be usable in the Access Policy.
They can also be used in Threat Emulation without activating either of these blades. 

0 Kudos
ClausOCD
Explorer
‎2025-07-28 07:36 AM

From your screenshot it looks like you are trying to configure the wrong 'Global Exceptions' policy.

The one with a 'G' in the icon are read-only and handled from the Global Policy.

Try to click on 'Global Exceptions' (without G in icon) and then try to 'Add exceptions'

0 Kudos
ClausOCD
Explorer
‎2025-07-28 08:28 AM

From the screenshot, it looks like you are trying to configure the 'Global Exceptions' handled by the Global Policy (G in icon). Thats only possible from the Global Policy.

Try to click on 'Global Exceptions' (without G in icon) and then 'Add Exception'

the_rock
MVP Diamond
MVP Diamond
‎2025-07-29 06:17 AM
In response to ClausOCD

That sounds very logical, for sure.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events