What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?
Threat Extraction Datasheet & Technology
Mail Transfer Agent (MTA) - FAQ
MTA Debugging and Performance Troubleshooting Toolkit
Closing the Malware Gap: The Rise of Threat Extraction
SandBlast Threat Extraction removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow. It is a new technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more - see list below).
This is a new approach for Threat Prevention: instead of determining whether a file is malicious or not, Threat Extraction cleans the file before it enters the organization. Threat Extraction prevents both known and unknown threats before they arrive to the organization, thus providing better protection against zero-day threats.
Supported file formats
Threat Extraction supports the following primary file formats. Many other formats (such as Windows Metafile) that are commonly associated with these primary formats are also supported.
Adobe PDF (all versions)
Microsoft Visio, Microsoft Project, etc.
Microsoft Excel 2007 and above
xlsx, xlsb, xlsm, xltx, xltm, xlam
Microsoft Excel 2007 Binary
Microsoft Excel 97 - 2003
Microsoft PowerPoint 2007 and above
pptx, pptm, potx, potm, ppam, ppsx, ppsm
Microsoft PowerPoint 97 - 2003
ppt, pps, pot, ppa
Microsoft Word 2007 and above
docx, docm, dotx, dotm
Microsoft Word 97 - 2003
The performance impact on your gateways will hardly be noticable when simply extracting potentially malicious file contents. As always with automated file content modifications this can result and unreadable characters or file names causing to end users to request having the original email attachment released to them.
It's a different story when converting all files into PDF. Of course this option will provide your end users with the most secure and trustworthy email attachments. However, PDFs are not really editable and many end users will complain that they cannot fill out an Excel sheet as meant by the sender of the email and sometimes the PDF conversions renders the resulting file almost unreadable. You need to educate your end users to be aware of these symptoms and provide them with a link within the email to that they can retrieve the original email attachment themself.
High CPU consumption due to urandom, or "Error: Threat Extraction is not responding" displayed
When Threat Extraction converts a PDF file, the output PDF file has many layers that are rendered slowly or cover information in the document
Files are renamed by Threat Emulation and Threat Extraction with specific special characters in the file name
Thank you for the response. This is much appreciated.
We are planning to enable Threat Extraction on our Gateways. We are running two 4800s on R77.30 and a smart1-205 Management.
I hope the specifications of my current devices will be able to support Threat Extraction without a diverse impact
I don't have a perfect reply for you and am curious if other people are seeing performance issues with MTA activated on a Gateway. Three months ago I activated MTA/Threat Extraction, however I was able to dedicate hardware to use exclusively for MTA/TX because I was unsure of the performance hit on our main gateway. In practice, MTA is great and has really cleaned up some email problems for us.
I have two gateways running in cluster mode, the hardware you have dedicated for MTA/TX is one of your gateways right, or how is the deployment?
The MTA function is implemented in process space on the gateway, so just make sure the gateway cores are not extremely busy in kernel space (sy/si/hi) to avoid the MTA processes having to wait a long time for the CPU. Even if there are delays caused by this, the users don't tend to notice their email getting delayed for a few seconds.
-- My book "Max Power: Check Point Firewall Performance Optimization" now available via http://maxpowerfirewalls.com.
Retrieving data ...