Re: TE2000 private cloud

Daniel_Kavan

Hi mates,

I'm trying to set up a gateway for local sandboxing. I'm looking for helpful sk links. So, far I haven't found anything helpful to ensure I have this gateway running as a local private cloud and NOT checking in with threatcloud. The following sks are just dealing with performance.

sk93000 SMT

sk107333 Support for CPU Level sandboxing

Daniel_Kavan

I'm getting access denied on some of these. about:blank#blocked

- sandblast poc [guide] [ link removed by admin ]
- checkmates Best Practices for Threat Prevention API Calls to [Appliance]https://community.checkpoint.com/t5/Security-Gateways/Best-Practices-for-Threat-Prevention-API-Calls...
- shows curl **request to the sandblast appliance**:18194 !!
- https://<appliance IP address>:18194/tecloud/api/v1/…
- sequence
- query
- hash found or not found
- individual and combined results
- can specify specific image(s)
- upload
- hash, file, content, timeout may be specified
- query for status
- benign or malicious for each image specified
- download
- base64 encoded .gz file
- base64 decode to tar.gz, unzip and untar to html report
- Threat Emulation Appliances: TE100X, TE250X, TE1000X, TE2000X ([SandBlast]https://support.checkpoint.com/results/sk/sk106210
- multiple links at bottom
- Threat Emulation Sizing Mode: how to measure the required inspections of an [organization](https://support.checkpoint.com/results/sk/sk93598)
- Check Point TE100X and TE250X Appliances Getting Started [Guide](https://sc1.checkpoint.com/documents/TE100X_250X_GSG/html_frameset.htm)
- Intel Virtualization Technology (VT) support compliance on Check Point [appliances](https://support.checkpoint.com/results/sk/sk92374)
- Threat Prevention API for Security [Gateway](https://support.checkpoint.com/results/sk/sk137032)
- POST request to the following URL: https://**<GW_IP>**/UserCheck/TPAPI
- Threat Prevention API Reference [Guide](https://sc1.checkpoint.com/documents/TPAPI/CP_1.0_ThreatPreventionAPI_APIRefGuide/html_frameset.htm)
- New Threat Emulation [reports](https://support.checkpoint.com/results/sk/sk120357)
- general status, advanced forensics chart and table, emulation
- github appliance_[tpapi](https://github.com/CheckPointSW/appliance_tpapi/tree/master/tp_api)
- swaggerhub appliance-tp-direct-[api](https://app.swaggerhub.com/apis/Check-Point/appliance-tp-direct-api/1)
- sandblast appliances data [sheet](https://www.checkpoint.com/downloads/products/ds-sandblast-te100x-250x-te1000x-te2000x-appliances.pd...) (2020)

Chris_Atkinson

Refer also: R81.20 TP Admin Guide https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

CCSM R77/R80/ELITE

Daniel_Kavan

https://support.checkpoint.com/results/sk/sk149692 Private Threat cloud
Per sk149692 we need an eval license, also, this documentation is for R81.10 - but it looks like a dedicated manager is needed.
CPSB-PTC-3005-SOC-EVAL (unlimited, can only be obtained through an internal order)

Daniel_Kavan

sk14692 indicates R81.20 is not supported.

It looks like a dedicated manager is needed for the TE appliance (private cloud) Can anyone confirm that? Is it supported to run a dedicated manager on the TE appliance rather than a separate manager? Is R81.20 or will R82 be supported on the TE appliance?

Chris_Atkinson

PTC is a different use case to a TE appliance used for (remote/inline) emulation on-prem.

The TE ATRG and TP Admin Guide should be sufficient for most scenarios.

CCSM R77/R80/ELITE

PhoneBoy

Just to be clear what we're discussing:

On-premise Threat Emulation can be done with a Threat Emulation appliance (TE2000, for example)
Not using ThreatCloud for other Threat Prevention functions requires Private ThreatCloud, which is only supported on specific Smart-1 appliances using a specific software image that will host the ThreatCloud data for your gateways.

Hope that clears things up.

Daniel_Kavan

Correct, I'm POC'ing a 2000XN. I'm not using a dedicated manager but my central manager. This will just be used for API call to it from one linux server. I don't want the other gateways communicating with it (although they can all see it). I don't want any files going to threatcloud, just staying local. Right now I'm trying to 1. confirm a file can be sandblasted and 2. confirm the blaster has all the latest definitions it needs. I believe this is a local not remote configuration. While the public cloud documentation says a dedicated manager is needed, maybe it's not for a local TE appliance.

the_rock

Thats right, its not needed for local TE appliance.

Andy

Chris_Atkinson

Simply put PTC isn't necessary unless the TE itself has no ability to download updates from the internet and you need that repository also to be local.

CCSM R77/R80/ELITE

Daniel_Kavan

Today, I'm looking for commands to ensure the TE2000 :

1. has all the updates & signatures it needs to do its job

2. is NOT sending files to the public threat cloud

3. can successfully scan a file locally

4. has a way for local users to send a file to it for scanning (I know it will thru api) wondering if there is aslo an easy thru a website or URL.

PhoneBoy

1. https://support.checkpoint.com/results/sk/sk95235

2. A TE appliance won't send files to the cloud, only an appropriately configured security gateway will.

3. Via the CLI: te_add_file https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

4. Not that I'm aware of.

Are you a member of CheckMates?

TE2000 private cloud