This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Legend Legend
Legend
‎2022-06-05 01:46 PM

Autonomous Threat Prevention Customer Feedback?

Autonomous Threat Prevention was introduced in version R81 and initially named "Infinity Threat Prevention" in that version.  This feature promises to automate the care and feeding of the various Threat Prevention blades with Check Point Best Practices.

For sites that have this enabled, how has it been going?  Any hiccups when it was first enabled?  Any ongoing issues or limitations?  Any tips and tricks based on your experience that you'd like to share with the community?

I haven't really seen this feature enabled anywhere yet (it is always disabled by default) and am curious what kinds of experiences customers have been having with it, as it seems very promising at the conceptual level.  Thanks!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
5 Replies
Alex-
Leader Leader
Leader
‎2022-06-06 04:07 AM

Some customers gave it a try and here are the immediate limitations found. Mostly from R81 installations so things may have changed in R81.10.

-TEX: UserCheck page cannot be changed from default to a customized one when clicking on the link in the PDF. TAC provided me a custom way of doing this but it involved manipulating files on the gateway.

-Logs: the window gives you an overview of how many files were scanned, blocked and the like. You don't have the inline logs like when clicking on a profile rule and searching from what you want, you need to switch to SmartLog.

- You can't seem to change Detect to Inactive to reduce system load. Actually, as the name "Autonomous" from the solution implies, you can't seem to change activation triggers at all, leaving out in the cold those who love to optimize every bit of their systems.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-06-06 03:42 PM
In response to Alex-

Nice list, thanks.  A few others I ran into:

1) Related to your comment about not being to set Inactive, with Autonomous Threat Prevention Management (ATPM) it is not possible to do a "null" TP profile to completely exclude certain traffic from TP inspection and improve performance.  Setting a global exception to Inactive does NOT do the same thing.  Would be nice if there was another option called "Bypass" along with Prevent/Detect/Inactive that could be invoked in a global exception to achieve the same effect of a TP null profile when ATPM is enabled.

2) This is a big one: When ATPM is enabled only pre-existing GLOBAL exceptions remain in effect, and the documentation is very clear going forward that global exceptions will need to be added to work with ATPM.  What they left out is that any existing rule-based exceptions will suddenly stop working when ATPM is enabled.  At most customer sites I've seen, the bulk of exceptions are rule-based because that is how they are created when an administrator clicks "Add Exception" from the log card when looking at a false positive log.  This effect will cause major havoc to ensue at most sites when ATPM is first enabled and all those rule-based exceptions abruptly stop working.  There really should be a recommendation to convert all your rule-based exceptions to global ones before enabling ATPM, perhaps even a warning popup that appears in the SmartConsole when first enabling ATPM if any rule-based exceptions exist warning you to convert them to global ones first if you still need them.

3) All gateways utilizing a single policy package must use the same autonomous profile; there is no way to set different autonomous profiles on separate gateways/clusters using the same policy package.  Not a big deal as most sites seem to use one policy package per gateway or cluster, but could be an issue at sites with consolidated policies for multiple gateways.

4) If your gateway is acting as an MTA, you can't use ATPM.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend
‎2022-06-06 06:34 AM

Im being 100% honest, my experience with it is nothing short of abysmal. I tested it in 3 labs and not only was performance bad, most of the time I could not even push the policy, so I dont recommend it to anyone until its proven it has been fixed. 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-06-06 07:25 AM
In response to the_rock

Thanks for the feedback, did you run into that behavior prior to Update 11 (03 May 2021)?  The memory consumed by ATPM got optimized with that update going forward to help avoid running the gateway out of memory, which sounds like what happened to you.  sk167109: Autonomous Threat Prevention Management integration Release Updates

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend
‎2022-06-06 07:56 AM
In response to Timothy_Hall

As a matter of fact, I tested it this morning and it was EXACT same issue with latest R81.10 jumbo 55 and 61.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events