Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RamGuy239
Advisor
Advisor

Autonomous Threat Prevention; How to disable Threat Emulation and Threat Extraction for NGTP Gateway

Greetings,

Does anyone know how to successfully apply and run Autonomous Threat Prevention on Security Gateways with only an NGTP license?

According to sk163593, you don't need a full NGTX/SBNT license to use Autonomous Threat Prevention:
https://support.checkpoint.com/results/sk/sk163593

 

And that is indeed the case. Autonomous Threat Prevention works just fine with NGTP, but Smart Console constantly complains about the Security Gateway not having a valid Threat Emulation or Threat Extraction license.

This makes sense as we are running the "Perimeter (recommended)" profile in the Autonomous Threat Prevention Policy, which tries to enable and utilise both Threat Emulation and Threat Extraction.

 

But there seems to be no way for us to disable these blades. You can't choose what blades to run on the Security Gateway object. You choose Autonomous Threat Prevention or Custom Threat Prevention, which lets you manually select blades.

No apparent settings within the Autonomous Threat Prevention Policy let you disable specific blades. The closest thing I've found is to go to Autonomous Policy -> Settings -> Advanced Settings and add Sandbox and Sanitization with "Off" as an override. But this doesn't change anything regarding Smart Console complaining about no valid Threat Emulation or Threat Extraction license on the Security Gateway.

 

I even tried to create a global exception disabling both blades in the policy. But it's still complaining. I tried to re-create this in my LAB, and it's the same behaviour. I can't locate any meaningful information in the ATRG SK for Autonomous Threat Prevention or anything in the R81.10 or R81.20 Threat Prevention Administration Guides.

 

How is one expected to deploy and run Autonomous Threat Prevention with only NGTP and no NGTX/SBNT license on the Security Gateway? Do you have to ignore the red warning on the object in Smart Console??

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
17 Replies
G_W_Albrecht
Legend Legend
Legend

In sk167109: Autonomous Threat Prevention Management integration Release Updates > List of Resolved Issues and New Features per Update we find:

Update 13 (15 July 2021)
ODU-154 The License absence warning may be shown to NGTP licensed users.

 

Can you verify that you use no older version ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RamGuy239
Advisor
Advisor

@G_W_Albrecht 

Thanks for the rapid response. The management and Security Group have direct access to updates.checkpoint.com, so this should update automatically. I did verify it, and it does seem to be the case:

MGMT:

BUNDLE_GOT_TPCONF_MGMT_AUTOUPDATE Take: 36
BUNDLE_DC_INFRA_AUTOUPDATE Take: 30
BUNDLE_GOT_MGMT_AUTOUPDATE Take: 108

 

GW:

BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 111

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
RamGuy239
Advisor
Advisor

I suppose this might be related to the appliances shipped with NGTX/SNBT the first year. When running cplic print the contract coverage is mentioning both Threat Extraction, and Threat Emulation with expiration dates Dec 2022.

# ID Expiration SKU
===+===========+============+====================
1 | T5T5094 | 9Dec2022 | CPSB-TEX-7000-PLUS-1Y
+-----------+------------+--------------------

===+===========+============+====================
5 | T410YT9 | 9Dec2022 | CPSB-TE-7000-PLUS-1Y
+-----------+------------+--------------------

 

Might it be that Autonomous Threat Prevention starts complaining due to this? If there were no contract for either, to begin with, it wouldn't complain. I suppose I have to contact Account Services to have them remove the expired Threat Emulation and Threat Extraction from the license/contracts?

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
_Val_
Admin
Admin

I am a bit confused here. Do you have a valid contract in the UserCenter? 

0 Kudos
RamGuy239
Advisor
Advisor

Hi, @_Val_ 

There are no valid contracts for Threat Emulation or Threat Extraction. The customer has never intended to go beyond NGTP. But these CPAP-SG7000 appliances included NGTX/SBNT the first year.

We have deployed Autonomous Threat Prevention from the get-go. But ever since the contracts for Threat Emulation and Threat Extraction expired in December 2022, Smart Console has been nagging them about expired licenses for Threat Emulation and Threat Extraction.

 

What I'm trying to achieve is to keep using Autonomous Threat Prevention but to have this red warning regarding no license for Threat Emulation and Threat Extraction go away. They have no intention of renewing these two blades, so having the warning is rather misleading and annoying.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
_Val_
Admin
Admin

Ok, cristal clear now. ATP includes TX/TE as part of the profiles. Technically, you already use just partial functionality of ATP. 

Personally, I do not see there too many options. Try checking with TAC what can be done, but I am pretty sure the answer will be "ATP is not supported to run partial config without TX".

RamGuy239
Advisor
Advisor

@_Val_ 

That would be awkward, considering how the sk163593 - Autonomous Threat Prevention Management states:

 

Q: Do we need a special license?
A: No. You need the standard NGTP/NGTX licenses.

Ref: https://support.checkpoint.com/results/sk/sk163593

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
_Val_
Admin
Admin

I am looking into the Threat Prevention admin guide, and it clearly states that File protection requires sandboxing. Also, all pre-defined profiles are set with TE/TX active. Finally, the GW side settings clearly have Sandboxing there.

Screenshot 2023-03-09 at 13.02.58 1.png

You can use "Custom Threat Prevention" and uncheck TX/TE, but it will not be autonomous anymore. Worth checking with TAC, regardless.

_Val_
Admin
Admin

Actually, I think there is a way.

You can turn off TE and TX in the advanced properties of ATP. Try this and let me know if it helps:

Screenshot 2023-03-09 at 13.11.30.png

0 Kudos
RamGuy239
Advisor
Advisor

@_Val_ 

Sadly I've already tried this without any luck. I also created a global exception disabling the TE and TX blade. But no dice.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
_Val_
Admin
Admin

Please open a TAC case.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So the issue is not resolved in the current take, it seems - worth asking TAC...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin

@G_W_Albrecht There is nothing to resolve, the license is not there in the first place. SK you mentioned is about false message about a missing license when it is in place.

0 Kudos
RamGuy239
Advisor
Advisor

@_Val_ 

Why would sk163593 - Autonomous Threat Prevention Management even mention NGTP if you will be getting warnings nonstop if you don't have NGTX/SBNT?

 

I think this is specific for this Security Group as a result of expired contracts for TE and TX in place. I'd bet if these contracts didn't show, it would work with NGTP just fine without any warnings. Without TE and TX functionality, of course.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
_Val_
Admin
Admin

Answered above. You have a point, there is a way to turn sandboxing and other properties off. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

May removing the expired contracts would help ? But i only know sk105757...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

No, it reads: The License absence warning may be shown to NGTP licensed users.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events