- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: TE on gateway sandblast in local mode
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TE on gateway sandblast in local mode
Hi,
Rather than buying a dedicated on prem appliance for sandblast, we're considering buying the overall TE package so it runs on ALL or a subset of our gateways. Is there a way to get the code under our control? IOW, Is there a way to turn OFF sandblast from sending data to the cloud and checking it locally? Is there a way for it only to scan/check/sandblast files that WE send it with an api call. IOW, can we purcahse the TE package for all our gateways and use it in a very controlled limited way? For one, we want to turn it OFF from the cloud and run it on our own gateway locally. 2. we want to ensure that all files aren't running thru it so we don't get overwhelmed with CPU performance we want to ensure its turned OFF from the gw using it for files in general. We just want to use it in a VERY controlled way, by sending ONE request at a time thru an api call to check/scan/sandblast/sandbox one file as we call it and we'd want each gw to use it locally not sending file thru the cloud.
- Labels:
-
Threat Emulation
-
Threat Extraction
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to do threat emulation on prem, you need to purchase one or more Threat Emulation appliances.
These are specific appliances dedicated to Threat Emulation functions different from your existing gateways.
Your other Check Point gateways can use these local appliances for emulation instead of the cloud.
You can also submit requests to the Threat Emulation appliances via REST API.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use on prem appliance for sandblast and all is possible that you want!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two relevant solutions worth discussing further with your local SE.
1. Dedicated TE appliances
2. Private Threat Cloud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it's possible to discuss the differences here, between a dedicated TE appliance and private threat cloud that would be helpful. Private threat cloud looks like it runs on a dedicated manager. And the TE appliance is a gw.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TE appliance is configured like a GW, but can be used with one active leg in the internal network only to test files using api commands instead of TE blade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The each addresses a different part of your requirement but potentially are leveraged together depending on the scale and complexity of the environment.
In general remote / dedicated TE appliances are probably the correct fit since you cannot run TE locally on the gateway itself in the manner described. sk140212 & sk114806 discuss deployment options & license considerations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does seem to be supported to just buy the TE blade for a current gw, run it in local mode, and hit it with api calls. Per sk114806
Security Gateway in Gateway mode |
|
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where does it say that this doesn't involve a cloud element?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to do threat emulation on prem, you need to purchase one or more Threat Emulation appliances.
These are specific appliances dedicated to Threat Emulation functions different from your existing gateways.
Your other Check Point gateways can use these local appliances for emulation instead of the cloud.
You can also submit requests to the Threat Emulation appliances via REST API.