Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ben-Zion_Josels
Participant
Jump to solution

How slow will Internet access become with SandBlast for 1430 appliance?

I intend to upgrade my Check Point appliance, from the veteran UTM-1 Edge NW8 to a modern 1430 appliance.

I can choose between NGTP blades package and the more effective NGTX blades package, that offers SandBlast protection against threats in files about to be downloaded to my PC.

I do not have Microsoft Office 365 cloud service at all.

I understand that SandBlast activity is cloud-based, so that each file about to be downloaded will be transferred first to Check-Point dedicated cloud to be tested and only then, if it is safe, it will be downloaded to my PC.

This back-and-forth file movement through the Internet worries me: By what amount is every such transaction going to slow my overall Internet access?

Is SandBlast for small appliances limited to specific file types (.exe, .pdf, .docx, pictures etc.,), or will it apply to all .html and .msg and .eml and every single Internet access will be subject to such transaction?
Will it slow down my access to the Internet to such an extent that I will be forced to increase my Internet speed from the present 5Mbit/sec to much higher speeds? At present I feel very well with 5Mbit/sec as I do not download movies at all.

Please advise.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ThreatPrevention_AdminGuide/...Files flow through Threat Emulation something like this (quoting from 

Threat Prevention R80.10 (Part of Check Point Infinity) 😞

  1. The Security Gateway gets a file from the Internet or an external network.
  2. The Security Gateway compares the cryptographic hash of the file with the database.
    • If the file is already in the database, no additional emulation is necessary
    • If the file is not in the database, it is necessary to run full emulation on the file
  3. The file is sent over an SSL connection to the ThreatCloud.
  4. The virtual computers in the ThreatCloud run emulation on the file.
  5. The emulation results are sent securely to the Security Gateway for the applicable action.

Not all file types are scanned, only the ones here: File types supported by SandBlast Threat Emulation 

It will depend on the size of the files in question as to what the impact will be.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ThreatPrevention_AdminGuide/...Files flow through Threat Emulation something like this (quoting from 

Threat Prevention R80.10 (Part of Check Point Infinity) 😞

  1. The Security Gateway gets a file from the Internet or an external network.
  2. The Security Gateway compares the cryptographic hash of the file with the database.
    • If the file is already in the database, no additional emulation is necessary
    • If the file is not in the database, it is necessary to run full emulation on the file
  3. The file is sent over an SSL connection to the ThreatCloud.
  4. The virtual computers in the ThreatCloud run emulation on the file.
  5. The emulation results are sent securely to the Security Gateway for the applicable action.

Not all file types are scanned, only the ones here: File types supported by SandBlast Threat Emulation 

It will depend on the size of the files in question as to what the impact will be.

0 Kudos
Ben-Zion_Josels
Participant

Thank you for the explanation.

In the case of a local small 1430 appliance without a local server, all threat prevention updates are obtained from Check Point Service Center, so the Security Gateway is not local on the user's side of the Internet, but it is located at Check Point side.

If so, all the transactions of files that you described takes place not through my slow Internet connection, but between Check Point Gateway and wherever else the file is sent and tested. Thus I hope my Internet access will not be slowed down by the SandBlast activity.

Please confirm.

0 Kudos
PhoneBoy
Admin
Admin

The Security Gateway in this case is your 1430.

The transactions will take place through your slower Internet connection.

It should be noted that not every file you download will be uploaded to ThreatCloud for emulation.

First a hash of the file is sent to see if it was seen previously by ThreatCloud--this communication is fairly small.

If the file was seen previously--and it's quite likely it has been--the file will not be uploaded and the previously used verdict will be used.

Only if the file has not been seen previously by our cloud emulation will it need to be uploaded.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events