This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Ravindra_Yadav1
Explorer
‎2018-06-07 10:17 PM

Threat Extraction deployment

Is it Mandatory to configure gateway as MTA for threat extraction to work ? Also do we have to change the mx record ?

4 Replies
Daniel_Taney
Advisor
‎2018-06-08 09:11 AM

Yes, the Gateway must be set up as an MTA so it can see & control the delivery of all mail as it gets scanned.

Depending on how you have your email delivery configured, you may not have to change MX records. For example, you could leave your existing Internet-facing MTA where it is and insert your Threat Extraction Gateway in-between the public MTA and your Internal mail server. If you did it this way, you'd only have to change where the public MTA forwards mail inside and make sure your e-mail server is configured to accept mail from the Check Point Gateway.

R80 CCSA / CCSE
Ravindra_Yadav1
Explorer
‎2018-06-08 11:02 AM
In response to Daniel_Taney

Thanks Daniel.

I have MTA in dmz segment connected to Checkpoint.

I have not changed the MX record to Checkpoint.

Challenge with my deployment was, I was not getting any traffic hitting threat extraction blade in logs.

0 Kudos
Daniel_Taney
Advisor
‎2018-06-08 11:10 AM
In response to Ravindra_Yadav1

If you already have a separate MTA in a DMZ, I would send the SMTP traffic from that MTA to the Check Point and then have the Check Point Gatway relay it back inside to your mail server. The other benefit of this method is that you won't have to mess with moving any certificates you may have in place on your current MTA for TLS. You also don't have to wait for Internet DNS to propagate when you change MX records. The fallback procedure is a lot cleaner if you need to revert to your old design.

R80 CCSA / CCSE
Charris_Lappas
Collaborator
‎2018-06-25 11:46 AM

The above is correct, just make sure the email allowed size is larger on the CP MTA comparing to the front and back mail servers.

For emails from your internal network to the Internet there is no real point of having your mail server pointing to your CP MTA (except if you want to scan your files). This will give additional load to your TE as well.

 

If you want to change back the only change is from your front MTA to point  to back email server (bypassing your CP FW).