This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andjey
Participant
‎2019-04-11 02:43 AM

Threat Prevention did not prevent first time e-mail with mailware file. Bridge GW+TE100X

Hello there! I have the situation here and need your advise.
We assume that CheckPoint does not use “Gradual hold” 1 byte delay of the SMTP traffic for some reason until the end of the Threat Emulation in Sandblast.

TP.png

The attached screenshot shows that the event was recorded in the CheckPoint Gateway (cpgw) logs before the emulation ended in CheckPoint Threat Emulation (cpsdblst).
Did the gateway not wait for the emulation to end, because threats were detected at the very first stages of emulation or the event was recorded due to expiration of the stream hold time?

As you can see it is detect event, for critical severity it isnot good i thnik. 

CheckPoint inclusion scheme: Internet – Postfix (MTA) - Bridge CheckPoint Gateway R77.30 + Threat Emulation appliance (TE100X) - Lotus (mail server)
Postfix sends SMTP via Bridge CheckPoint to Lotus with condition = in one TCP session only one SMTP email.
We use bridge mode because our costumer doesn't want to use MTA in CheckPoint or make any changes to network configuration.

The main problem is the costumer want to see emails, so we can't just block.

And use that settings, mb we must change something?

TP_https_engine.pngTP_profile.pngTP_profile_adv.png

 

 

 

Certifications: CCSA, CCTA
3 Replies
PhoneBoy
Admin
Admin
‎2019-04-11 06:26 PM

With SMTP we generally recommend using MTA mode.
That said, this sounds like a bug the TAC should investigate.
Andjey
Participant
‎2019-04-11 11:19 PM
In response to PhoneBoy

We can't use MTA in that deployment. The costumer allready has 3rd party MTA.
Certifications: CCSA, CCTA
Andjey
Participant
‎2019-04-15 01:55 AM
In response to PhoneBoy

Thank you for your answer. We are open the support case for this problem and i think this is not a recommendation, but a necessity. There is no possibility to keep smtp traffic in bridge mode without MTA, which tells us that it is better not to use bridge mode for smtp inspection. Why not explicitly write this in the documentation https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/96332.htm as an unsupported solution. It turns out that emulation for first time traffic is useless, as it is not able to prevent infected files via smtp... Now we are waiting R&D answer.
Certifications: CCSA, CCTA

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events