This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2019-09-23 09:05 AM

Threat Prevention policy configuration when HTTP emulation on Private Cloud Appliance

TE - Copy - Copy.png

 

Hi Team,

Pls help me for the configuration.

As per the Diagram, we have Gateway with TE Appliance.

So basically we are using TE appliance only for emulation, not for extraction, ThreatExtraction happening on Gateway.

So for any file we are download from the Internet then first come to the gateway then gateway sends that file to TE for emulation then TE gives the verdict to Gateway then gateway sends the file to the end-user base on the policy. Correct me I am wrong.

I need a clear idea about configuration and working.

Is this required to set Threat Prevention policy  as Detect mode in TE Policy Package 2 ?

If I enable Threat Extraction on TE policy package 2 then?

@Chinmaya_Naik 

 

 

0 Kudos
8 Replies
FedericoMeiners
Advisor
‎2019-09-23 09:13 AM

@Chinmaya_Naik 

Your diagram and notes seem correct. I would recommend to set the policy on detect the first few days so you can see how it works.

Another important part is to decide the file extensions that you will be checking and if you want to go with a fail open or fail close policy for your emulations.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Chinmaya_Naik
Advisor
‎2019-09-25 11:13 PM
In response to FedericoMeiners

Hi @FedericoMeiners 

Thanks for the quick response.

I need to understand which one is the best practise to  "set TE policy package threat prevention profile mode as DETECT or Prevent".

I also need to understand, as per my current scenario If  am enable the Threat Extraction on TE policy package threat prevention profile then?

 

Regards

@Chinmaya_Naik 

 

 

 

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-09-26 12:08 AM

I must confess that your diagram confuses me ! I have a similar (LAB) configuration with a single GW instead of a cluster and a local TE appliance. But i have configured it differently:

- My TE has only FW and TE blades enabled - i see no point in enabling ABot and AV in both GW and TE. As the GW AV will check the hash before sending to TE, AV on TE seems useless.

- TE does three passes for a verdict and the sums it up. There is no confidence level involved here, as the GW will send according to File Type and size only to TE and TX

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chinmaya_Naik
Advisor
‎2019-09-26 01:31 AM
In response to G_W_Albrecht

Hi @G_W_Albrecht 

Thanks for the update. I updated my diagram.

So basically you mean to say that, there not required to create a separate policy package for TE appliance.

So when I will install the Threat prevention policy on standard policy package then it needs to select the TE object as well? ,

Correct me If I am wrong.

Regards

Chinmaya_Naik

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-09-26 01:48 AM
In response to Chinmaya_Naik

Bildschirmfoto 2019-09-26 um 10.52.17.pngNo - i have a separate TP policy for GWs (with enabled AV, ABOT, IPS and TE on remote appliance) and for TE (only TE enabled with local emulation).

 

 

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-09-26 03:43 AM
In response to G_W_Albrecht

What is important for your configuration: 

Cluster
  • Threat Emulation local cache is not synchronized.

 

See sk114806: ATRG: Threat Emulation and sk102309 - Threat Emulation support for Multiple Private Cloud Appliances.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chinmaya_Naik
Advisor
‎2019-09-26 03:55 AM
In response to G_W_Albrecht

Hi @G_W_Albrecht 

Thanks for the update.

Find the below screenshot.

TE1.png

TE2.png

TE3.png

TE4.png

 

As last screenshot ,  this is what I need to know that what I need to set on Activation Mode.

Still, I am not face any issue, I need to understand the proper configuration because I see some different configuration on two different places but still both are working.

Thank You 

Chinmaya Naik

0 Kudos
Chinmaya_Naik
Advisor
‎2020-10-20 09:53 AM
In response to Chinmaya_Naik

Hi Team,

Pls give me a clarification on this.

Thanks and Regards

@Chinmaya_Naik 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events