This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Charris_Lappas
Collaborator
‎2018-06-25 11:56 AM

What is the best practices policy for Threat Prevention?

What is the best practices policy for Threat Prevention when you have Threat Prevention policies on the network level as well as you have Endpoint Threat Prevention. To add to the equation on some Endpoints the SBA is installed and on some others is not installed. 

It is noticed the following behaviour:

a) Threat prevention actions are done twice or more for the same files

b) Network Threat Prevention and SBA are fighting for the same file (End users experience failed download attempts)

c) Files are not inspected

Based on the above scenarios can you suggest a best practice configuration when you have Network Threat Prevention, SBA on some devices and devices with no SBA.

Thanks,

Charris Lappas

3 Replies
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-06-26 04:41 AM

Hi Charris,

So ususally you would have Threat Prevention enabled on the network also in case you cannot distinguish between SBA installed clients and non-SBA installed.


Depending on the architecture it will not lead to double emulation if the network gateway and SBA share the same emulation location (because of the cache of the emulator). Also Threat Extraction will not be done twice because an already extracted file does not have an active content anymore to be extracted again (for this to be 100% true the TX settings for network and SBA should match). There should also be no "fighting" between network gateway and SBA for files because the processing is sequential.

If you have unexpected behaviors like the one you describe please open a case at our support.

Regards Thomas

0 Kudos
Charris_Lappas
Collaborator
‎2018-06-26 07:07 AM
In response to Thomas_Werner

Hi Thomas,

Thanks for replying, you are absolutely right it should not be happening the above, but it is! That is why I'm looking for some configuration examples.

Thanks,

Charris

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-06-26 07:40 AM
In response to Charris_Lappas

Hi Charris,

the expected configuration in this case is doing TE/TX on both layers (gw and endpoint).

You could test SBA´s behavior when setting TE on the GW in background mode just for troubleshooting purpose.

But as I said I would open a case at support to have them look into it.

Regards Thomas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events