This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Madeira
Collaborator
‎2023-12-28 02:07 AM

Threat Prevention API on SandBlast Appliances

Hello,

I would appreciate if the community could comment or correct me in the following environment I'm about to set up.

I'm currently going through the instructions to set up a Threat Prevention API on SandBlast Appliances environment.

The environment will consist of:

1 API client (mail protection system acting as an MTA and API client)

1 Load Balancer

1 Security Management

2 x TE2000XN

I gathered all available information to me from Check Point's sources and this is my understanding how I should proceed with this setup:

1) Stage the TE2000XN appliances, patching, gaia configurations, etc

2) Add both TE 2000XN appliances to the security management

3)Enable Threat Emulation and Threat extraction blades

I don't really need the threat extraction blade but from what I've read, I think I need to enable this blade in order to activate the threat prevention api through smartconsole and generate an api key that will be located in /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini

Source: sk137032 and sk113599

4) Define a threat prevention policy to be installed in both TE appliances named Recommended_Profile

Source: sk113599

This profile should allow me to define which OS are used for emulation, file emulation limits and other settings.

5) Enable threat emulation api logs to smartlog with command:

[Expert@HostName:0]# tecli advanced remote emulator logs enable

Source: sk163998

Afterward the load balancers will make sure the api client sessions are distributed among the two TE appliances.

This is a summary of the steps I'm thinking on following and I would appreciate very much if I'm on the right track or if I'm misinterpreting some steps based on the sources I consulted.

 

Thank you for any tips and pointers in the right direction.

PM

0 Kudos
5 Replies
evgeny_petin
Explorer
‎2025-01-31 05:34 AM

Hello

Coulf you share update?

Which load balancer did you used?

Everything works fine?

0 Kudos
Pedro_Madeira
Collaborator
‎2025-01-31 06:51 AM
In response to evgeny_petin

Hello @evgeny_petin 

 

The load balancer wasn't under my responsibility but I think it's an F5 LTM

 

From a Check Point perspective, the service is activated when you enable the threat extraction blade under the threat prevention profile.

 

I just followed my own plan as described in my original post.

0 Kudos
Forsaken_61
Explorer
yesterday

Hi

Interesting post.

How did It go? Did you manage to get a correct flow of everything?

Having a similiar environment as you. But instead of F5 for load balancing I have a Checkpoint Security Gateway that acts as a loadbalancer. The Gateway Is configured to send files for "remote emulation" to my TE2000XN boxes If emulations Is required. Small PDF files can the Gateway handle with "static analysis".

Planing to get rid of the Gateways and try with F5 loadbalancers aswell. 

Would be cool If you could share your opinions about this.

Thanks!

0 Kudos
Pedro_Madeira
Collaborator
yesterday
In response to Forsaken_61

Hello @Forsaken_61 ,

I went along with my plan and setup everything correctly from a checkpoint POV. But since everything else around it was delayed, I had to consider the project closed from my side. I think it never went into full production yet.

 

From my understanding, what you have right now is what is called a checkpoint private cloud emulation environment where you have the security gateway cluster making the remote emulation decisions and then sending or not the files for remote emulation on the sandblast appliances.

 

If you're thinking on removing the security gateway from the equation, you would be changing to an inline/one-armed architecture where the sandblast can act either as ICAP Server, MTA or API Server. Then in that case, an environment with an F5 load balancer as you suggest would work in my opinion.

 

You have to take into consideration if you're emulating only email or also http/s traffic and you also need to think about how the traffic decryption would need to be done.

 

Unless I understood incorrectly, that's my 2cents.

 

Hope it helps.

0 Kudos
Forsaken_61
Explorer
7 hours ago
In response to Pedro_Madeira

Hi Pedro,

All right cool, then I know.

You're exactly right there about my environment. In current mode we're using the Threat Prevention API against our Security Gateways. 

The Gateways handles It and passes down to the Threat Emulation Applinaces If emulation Is required.
Privat Cloud, exactly.

In the moment we're using the Threat Prevention API, we're note considering of emulting files from emails or http/s traffic.

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events