Next set of questions:

9.   We currently have automatic email alerts setup to alert us whenever a critical alert is generated by threat       emulation. The email always states that threat emulation detected a malicious file, even when the file is       prevented. How can we fix this so that the email alert shows the file was prevented? - I would suggest opening       a ticket with Check Point TAC; However, if I had to guess I think you're running into the issue described in SK       115252 Threat Emulation logs show "Detect" for e-mail attachments instead of "Prevent" when Threat Extracti...  The recommended fix to this solution is to upgrade to R80.10

10.   Is there any default protections that should be turned-on in Prevent mode - My personal opinion, is that         nothing should be turned on in prevent mode until it's been validated that it's not going to cause a disruption in the          environment.  This means that if you aren't currently running AV, AB, IPS, TE, TX, your first step should be          activating those blades in detection first.  Validate through your logs that they're not falsely flagging any business          or mission critical processes, and then switch the protection over from detect to prevent.  After that, I would use AV,          AB, and TE in prevent, and I would continue tuning my IPS to a combination of prevent and detect signatures,          based on confidence and based on what your logs are telling you.

11.     How does the growth of SSL affect the ability to run threat? - If you're not inspecting encrypted traffic then          you're missing threats in your environment.  You can use Check Point HTTPS inspection (or MTA mode for mail),          or you can use a third party SSL/TLS interception device, like a A10 or F5 (usually advantageous if you have more          then one device/appliance/service that requires visibility into encrypted traffic).  One way to get around needing to          inspect encrypted traffic on the wire, would be to run something like Sandblast Agent on your endpoints, which will          intercept files downloaded via the web and send the files for emulation.

12.   how does threat extraction used for attachment in email and does it emulated the file in linux enviroment          or not?) - If you have MTA mode enabled on either you Check Point gateway or on a Sandblast Appliance, then          we can perform Threat Extraction on email.  We will swap the original attachment with a cleaned version of the          attachment, and include a header on the email indicating that the file was cleaned by Check Point and that the          original file (if benign) is available by clicking an embedded hyperlink in the email. It looks like this:

13.   Hi  - where i can get an real-world indicator file? - Indicator files are something that you need to create, you can          find the instructions on how to make them in the Threat Prevention Admin guide. Threat Prevention R80.10          Administration Guide 

14.   What is the privacy impact for those files sent to cloud sandbox ,especially in some environments that has          HIPPA and PCI compliance ? - Check Point doesn't store any files in our cloud sandbox, all we store are the          hashes and the verdicts, when files are transmitted to our cloud they're done over an encrypted connection          between the gw (or client if SBA) and our cloud, then the file is detonated in a virtual environment and after          detonation the file and the environment are destroyed. Check Point can provide you with a cloud security          document as well that goes into more detail around how we handle and treat files in the cloud.  With that being          said, if privacy is an issue preventing you from using the service, we also have a range of appliances that can          provide the same functionality on premise instead of using the cloud          service. https://www.checkpoint.com/downloads/product-related/ds-sandblast-appliances.pdf 

15.      If you have Threat Prevention running as per the demo, are you able to exclude (certain) VPN Community             traffic from being checked? - Yes, you define what is being inspected in your protected scope, you can exclude             traffic coming from sources you don't want to inspect (like VPN).

16.    What is the scope of collaboration between threat emulation on a GW level and on the Endpoint level ? - If          files are being inspected in the same location (for example both in the cloud, or both on a Sandblast Appliance)          then they will have a common set of threat indicators and it will speed up the verdict of files seen by both the GW's          and the clients.  You can also send the logs from both to the same location to provide you with a centralized view          of all your threat events.

17.     2fa for usercenter ;p? - Log into usercenter, click on "My Profile", and enable it on your account.

18.    Threat Emulation - when you check mark in Hold mode, is it impact performance? - There isn't an impact to          the Gateway or Sandblast appliance, but there will be an impact to the user.  They won't have access to the file          until it has completed emulation.

19.      I saw there were SBA views/reports in the demo Smart Event environment. We have SBA, but I don’t see            those views in my Smart Event. Is there something else I need to add/ enable to see them? We've created             some new views/reports for SBA.  You can download the templates from this SK article: How to support             SandBlast Agent in R80.10 SmartEvent 

20.      Not sure if this was seen in the field much, but we had to change the policy often to warn the user but             allow them to go through to the site as some sites were falsely detected as phishing. Is there a way to             advise of false positives or is it just the "send a report and continue" - I would click the "send a report link",             or open a ticket.

21.      What performance impact does threat emulation has on SecureXL - Traffic that matches any SecureXL             templates will still be accelerated, but HTTP traffic (which is what you'll be inspecting with threat emulation) will             not be accelerated since it needs to go through Active Streaming (CPAS). ATRG: SecureXL  

22.       What happen if we have SAML authentication and same password used at different login ? If they're             typing their password in on a site that requires it, you can just add the site to your list of protected domains in             Zero Phishing configuration.

23.      what about the indicator-file and facebook.com? - I just created that as an example, you can put a variety of             indicators in the indicator file (domains, IP's, hash values, etc.)  When a user attempts to access a resource that             matches an indicator you can prevent or detect and log the incident. 

24.      If I enable url filtering and block the category, It should be blocking the webpage in the first place.  any            other benefit of using sandblast? - URL filtering is great at blocking known threats, Sandblast is there to block             the unknown, the stuff that hasn't been seen before.

25.      Do you have any information regarding monitoring the performance of the cloud emulation pods? - At the             moment we don't have a way for customers to monitor the emulation pods, this is something that Check Point             monitors internally.  If you are using Sandblast Appliances, you can monitor their performance of the appliance             with SmartView monitor, CPVIEW, and the tecli command.

26.      When HTTPS inspection policy console will included in the R80.10 SMS?? - It's been included since R80.0.              You can access the HTTPS inspection policy under the shared policies section in the security policies tab.

27.      and sorry, when the Endpoint console will included too - Endpoint is included now, however it doesn't support             Sandblast Agent yet.  The current plan is to unify Endpoint management and R80 in the next release (R80.20).

28.      is it possible to use threat prevention on a system that only has an active IPS subscription or is an             addition subscription reqd? - You require a NGTX subscription to use Threat Emulation/Threat Extraction.

29.      can you state if scanning the body of emails work and if there are any recommendations on this - I             assume you're asking about scanning the body of emails for malicious links? We can scan the body of emails for             links to malicious files now. I would recommend also enabling AV, AB, IPS protections which should detect and             prevent any attacks that may result of a user clicking a link and getting directed to a malicious site.  Sandblast             won't scan or test the website itself (for phishing or browser exploits), it only looks at file.  which is why you need             to activate all the protections to provide you with complete security.

30.      what’s is the expected performance hit if we enable ALL IPS settings?  20% 50%, is there a hardware             limitation that impacts this the most?  cpu, memory? - There are a lot of factors here that can make an             impact on performance.  The best way to determine the expected performance hit for your environment and your             appliances is to use the Performance Sizing Utility. The Check Point Performance Sizing Utility  

Thanks again everyone for attending and thanks for all your questions!

Hi,

This Q & A, really helps, this is the way, we can improve and excel community knowledge towards to the particular product and its relevant version. Keep it up and do share more so overall efforts we can reduce and attract more people towards this, also, what are the best practices and what we can do as per the current scenario all can implement accordingly. Thanks Again.

Unfortunately it seems that not all the questions were answered 😕