Threat Prevention policy configuration when HTTP e...

Chinmaya_Naik · ‎2019-09-23

Hi Team,

Pls help me for the configuration.

As per the Diagram, we have Gateway with TE Appliance.

So basically we are using TE appliance only for emulation, not for extraction, ThreatExtraction happening on Gateway.

So for any file we are download from the Internet then first come to the gateway then gateway sends that file to TE for emulation then TE gives the verdict to Gateway then gateway sends the file to the end-user base on the policy. Correct me I am wrong.

I need a clear idea about configuration and working.

Is this required to set Threat Prevention policy as Detect mode in TE Policy Package 2 ?

If I enable Threat Extraction on TE policy package 2 then?

@Chinmaya_Naik

FedericoMeiners · ‎2019-09-23

@Chinmaya_Naik

Your diagram and notes seem correct. I would recommend to set the policy on detect the first few days so you can see how it works.

Another important part is to decide the file extensions that you will be checking and if you want to go with a fail open or fail close policy for your emulations.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/

Chinmaya_Naik · ‎2019-09-25

Hi @FedericoMeiners

Thanks for the quick response.

I need to understand which one is the best practise to "set TE policy package threat prevention profile mode as DETECT or Prevent".

I also need to understand, as per my current scenario If am enable the Threat Extraction on TE policy package threat prevention profile then?

Regards

@Chinmaya_Naik

G_W_Albrecht · ‎2019-09-26

I must confess that your diagram confuses me ! I have a similar (LAB) configuration with a single GW instead of a cluster and a local TE appliance. But i have configured it differently:

- My TE has only FW and TE blades enabled - i see no point in enabling ABot and AV in both GW and TE. As the GW AV will check the hash before sending to TE, AV on TE seems useless.

- TE does three passes for a verdict and the sums it up. There is no confidence level involved here, as the GW will send according to File Type and size only to TE and TX

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Chinmaya_Naik · ‎2019-09-26

Hi @G_W_Albrecht

Thanks for the update. I updated my diagram.

So basically you mean to say that, there not required to create a separate policy package for TE appliance.

So when I will install the Threat prevention policy on standard policy package then it needs to select the TE object as well? ,

Correct me If I am wrong.

Regards

Chinmaya_Naik

G_W_Albrecht · ‎2019-09-26

No - i have a separate TP policy for GWs (with enabled AV, ABOT, IPS and TE on remote appliance) and for TE (only TE enabled with local emulation).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2019-09-26

What is important for your configuration:

Cluster

Threat Emulation local cache is not synchronized.

See sk114806: ATRG: Threat Emulation and sk102309 - Threat Emulation support for Multiple Private Cloud Appliances.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Chinmaya_Naik · ‎2019-09-26

Hi @G_W_Albrecht

Thanks for the update.

Find the below screenshot.

As last screenshot , this is what I need to know that what I need to set on Activation Mode.

Still, I am not face any issue, I need to understand the proper configuration because I see some different configuration on two different places but still both are working.

Thank You

Chinmaya Naik

Chinmaya_Naik · ‎2020-10-20

Hi Team,

Pls give me a clarification on this.

Thanks and Regards

@Chinmaya_Naik

Are you a member of CheckMates?

Threat Prevention policy configuration when HTTP emulation on Private Cloud Appliance