Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Serhii_Yaholnyt
Contributor

Threat Emulation without agent does not work properly

HI all. We have R77.30 gateway and local SandBlast appliance. When we are trying to enable HTTP emulation, our users can not download file from internet from first effort: it freezes at about 90%. When user downloads file for second time, it is ssuccessfully downloaded. So, we have opened service request and got an answer that "system works by designed and in order to be able to work with HTTP/S + hold you need to use agent [sandblast extenstion + SBA [endpoint solution]] and use backgroound on the GW ". Isn't it strange? One of the main advantage of CheckPoint is that it can hold file before downloading and now we discover that it can not do it: we have to install agent to have such possibility. Did somebody faced such problem? Why this information is not in ThreatPrevention Admin Guide?

13 Replies
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Serhii,

HTTP/S hold mode is supported without the Agent´s browser plugin.

The expected user experience when a file is downloaded and needs to be emulated is that the browser download "stalls" at 99% until the emulation finishes. Afterwards the user should get the option to access/save the file.

To achieve this the GW will sent keep-alive packets to the user´s browser so that the download session does not die during the delay that emulation introduces.

This method works and is also in use by customers. But it could be that intermediate proxy causes trouble. So please share a bit more info about your setup.


Regards Thomas

0 Kudos
Serhii_Yaholnyt
Contributor

Hello, Thomas,

We expected that our gateway will work in way you described but unfortunately it does not. As for our setup - we have R77.30 HA Cluster of 5600 appliances. Emulation is performed on local TE1000X appliance. This TE1000X appliance has access to internet through Squid proxy (but I dont think it could have impact). Users have access to internet through CheckPoint HA Cluster which is used as non-transparent proxy (it is not behind Squid, it has direct access to internet). Between users and CheckPoint gateway there is no any proxy, there are only switches and routers.

Best regards,
Serhii

0 Kudos
Serhii_Yaholnyt
Contributor

Also, we have noticed that everything works fine when we use Cloud Emulation.

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

That is strange and sounds like a problem with the local TE appliance.

Can you share $FWDIR/log/TED.ELG logs from a recent test when local emulation was done ?

Regards Thomas

0 Kudos
Serhii_Yaholnyt
Contributor

Hi, Thomas.
It took a while to replicate the problem and collect logs as it is production environment and we have switched to cloud emulation. There are huge amount of logs for a single event, do I have to look for a specifically record? I see no errors or warnings there...

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Serhii,

so first I would check for overload situation on the TE.

In TED.ELG you can find lines similar to this:

[ 24212 4079982336][18 Apr 16:00:54] [TE_TRACE]: {0D068F9A-A4DB-1A4F-B3B0-41E631684689} Adding emulation request on Image: '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', Run: 1, Priority: normal (1876 requests in queue, 28 running emulation VMs)

If you search for all lines containing e.g. "requests in queue" you get a quick understanding if running VMs constantly increase or in worst case if running VMs hit the limit and requests increase.

If you are in hold mode and your TE does not immediately provide a VM to emulate the downloaded file you could experience the problems you described. That´s why it is very important to size emulators to peak file limits in HTTP hold mode.

Regards Thomas

PhoneBoy
Admin
Admin

I recommend getting the TAC involved to troubleshoot.

0 Kudos
Serhii_Yaholnyt
Contributor

I mentioned in origin post that we had opened SR and we have got answer "system works by designed and in order to be able to work with HTTP/S + hold you need to use agent [sandblast extenstion + SBA [endpoint solution]] and use backgroound on the GW ".

0 Kudos
PhoneBoy
Admin
Admin

Ok missed that.

What SR is it?

Please send in a private message and I'll investigate.

0 Kudos
PhoneBoy
Admin
Admin

Note that, in general, SandBlast Agent will provide a better end user experience.

That said, what you're trying to do with local emulation should work according to my contacts in R&D.

This should be continued to be investigated with your previous TAC case.

Charris_Lappas
Collaborator

This is a well known issue, in short, the GW intercepts the file and send it for emulation. The endpoint client that is downloading the file believes there is a problem with the download and fails. After a couple of tries it is successful. 

Even if you install the SB Agent, you will get issues, you will have both GW and Endpoint fighting to get the same file for Sandblast Analysis. 

We have opened a TAC case, we got the same result, "works as expected!". then we opened another case in order to adjust the policy but since then nothing happened. What we have managed to do is to create a policy for computers without the Agent to have the GW inspect the file and another policy for computers with Agent to have the GW not inspect the file. It is working but you need to have a way to know which computer shave the agent and which not....

Thanks,

Charris Lappas

Evgeniy_Olkov
Collaborator
Collaborator

Have the same issue. 

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Charris,

Charris Lappas wrote:

This is a well known issue, in short, the GW intercepts the file and send it for emulation. The endpoint client that is downloading the file believes there is a problem with the download and fails. After a couple of tries it is successful. 

Even if you install the SB Agent, you will get issues, you will have both GW and Endpoint fighting to get the same file for Sandblast Analysis. 

They do not fight for the analysis as processing is done sequentially because the file hits the GW first.

We have opened a TAC case, we got the same result, "works as expected!". then we opened another case in order to adjust the policy but since then nothing happened. What we have managed to do is to create a policy for computers without the Agent to have the GW inspect the file and another policy for computers with Agent to have the GW not inspect the file. It is working but you need to have a way to know which computer shave the agent and which not....

Assuming your GW is in TE background mode it will not interfere with SBA as long as the file is not malicious.

That said if you want to implement hold mode with TE for HTTP/S you must seggregate the users in policies (background and hold mode can be set per TP profile) as you described.

BTW Threat Extraction will not be a problem when we get TX inline in HTTP/S with R88.30 🙂

Regards Thomas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events