Hello there! I have the situation here and need your advise.
We assume that CheckPoint does not use “Gradual hold” 1 byte delay of the SMTP traffic for some reason until the end of the Threat Emulation in Sandblast.
The attached screenshot shows that the event was recorded in the CheckPoint Gateway (cpgw) logs before the emulation ended in CheckPoint Threat Emulation (cpsdblst).
Did the gateway not wait for the emulation to end, because threats were detected at the very first stages of emulation or the event was recorded due to expiration of the stream hold time?
As you can see it is detect event, for critical severity it isnot good i thnik.
CheckPoint inclusion scheme: Internet – Postfix (MTA) - Bridge CheckPoint Gateway R77.30 + Threat Emulation appliance (TE100X) - Lotus (mail server)
Postfix sends SMTP via Bridge CheckPoint to Lotus with condition = in one TCP session only one SMTP email.
We use bridge mode because our costumer doesn't want to use MTA in CheckPoint or make any changes to network configuration.
The main problem is the costumer want to see emails, so we can't just block.
And use that settings, mb we must change something?
Certifications: CCSA, CCTA