- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi,
Rather than buying a dedicated on prem appliance for sandblast, we're considering buying the overall TE package so it runs on ALL or a subset of our gateways. Is there a way to get the code under our control? IOW, Is there a way to turn OFF sandblast from sending data to the cloud and checking it locally? Is there a way for it only to scan/check/sandblast files that WE send it with an api call. IOW, can we purcahse the TE package for all our gateways and use it in a very controlled limited way? For one, we want to turn it OFF from the cloud and run it on our own gateway locally. 2. we want to ensure that all files aren't running thru it so we don't get overwhelmed with CPU performance we want to ensure its turned OFF from the gw using it for files in general. We just want to use it in a VERY controlled way, by sending ONE request at a time thru an api call to check/scan/sandblast/sandbox one file as we call it and we'd want each gw to use it locally not sending file thru the cloud.
TE appliance is configured like a GW, but can be used with one active leg in the internal network only to test files using api commands instead of TE blade.
If you want to do threat emulation on prem, you need to purchase one or more Threat Emulation appliances.
These are specific appliances dedicated to Threat Emulation functions different from your existing gateways.
Your other Check Point gateways can use these local appliances for emulation instead of the cloud.
You can also submit requests to the Threat Emulation appliances via REST API.
Use on prem appliance for sandblast and all is possible that you want!
There are two relevant solutions worth discussing further with your local SE.
1. Dedicated TE appliances
2. Private Threat Cloud
If it's possible to discuss the differences here, between a dedicated TE appliance and private threat cloud that would be helpful. Private threat cloud looks like it runs on a dedicated manager. And the TE appliance is a gw.
TE appliance is configured like a GW, but can be used with one active leg in the internal network only to test files using api commands instead of TE blade.
The each addresses a different part of your requirement but potentially are leveraged together depending on the scale and complexity of the environment.
In general remote / dedicated TE appliances are probably the correct fit since you cannot run TE locally on the gateway itself in the manner described. sk140212 & sk114806 discuss deployment options & license considerations.
It does seem to be supported to just buy the TE blade for a current gw, run it in local mode, and hit it with api calls. Per sk114806
| Security Gateway in Gateway mode | 
 | 
Where does it say that this doesn't involve a cloud element?
TP uses Cloud information always - before anything is emulated anywhere, a hash is sent to CP ThreathCloud. After local emulaion i bet that its results get reported to the Clound, too. Private threat cloud is just a local TE appliance running on GW HW.
If you want to do threat emulation on prem, you need to purchase one or more Threat Emulation appliances.
These are specific appliances dedicated to Threat Emulation functions different from your existing gateways.
Your other Check Point gateways can use these local appliances for emulation instead of the cloud.
You can also submit requests to the Threat Emulation appliances via REST API.
Hi, Dameon. This is indeed very unclear - if i see this section here https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...
there are clearly 2 cases, one saying "If the file is not in the database, the virtual computers in the Security Gateway run full emulation on the file." which can not be misunderstood because further on there is another example with a dedicated TE Sunblast appliance. So please do me a favor and confirm once again to me the following: 1. is it possible to run TE locally on the gateway without on-prem TE und without ThreatCloud? if not - what are the options in terms of maximizing local cache on each single Gateway (Not TE) so that they are not 100% dependent on TE availability. Thanks a lot in advance!
I don’t find this citation in the documentation.
As stated previously, local Threat Emulation requires specific, on-premise Threat Emulation appliances.
I presume the “cache” mentioned is a kernel table, but do not know this for sure.
Suggest a TAC case. 
Hi, Dameon, please search under that section over the link that i posted. There are actually 2 very misleading diagrams that cause the confusion - at least on my side.
You can install a Threat Emulation appliance in the internal network.
I can see it now…and I can see how you come to that conclusion.
These sections likely need revision and should be reported via the feedback link in the doc.
Never do localn TE on the GW itself ! Dedicated TE appliance is the way to go for you here. It allows all you want to do.
HI, but if we decide to go with ThreatCloud - there is no need for TE Appliance, right? Is there any way to understand how much of external traffic ThreatCloud is causing and how much the impact on the gateway itest causes the "emulation" or the database of it? How can we test ThreatEmulation on-premise without getting TE Appliance? Thanks for any additional information.
- to test TE i suggest a Threathcloud free license
- TE impact to the GW depends of GW ressources, GW load and TE configuration
- ThreathCloud traffic is not causing much GW load, and only at tims needed for TP
A Threat Emulation appliance is only needed if you intend to do Threat Emulation on-site (and not via ThreatCloud).
Unfortunately, you cannot test on-premise Threat Emulation without a Threat Emulation appliance.
The impact to the local gateway with ThreatCloud emulation is minimal.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY