Check Point Threat Prevention provides multi-layered protection against malware, exploits, bots, and advanced threats. The solution includes IPS (Intrusion Prevention System), Anti-Bot, Anti-Virus, Threat Emulation (sandboxing), and Threat Extraction. This guide walks you through enabling and configuring these powerful security blades.
Prerequisites
Before you begin, ensure you have:
- Security Gateway with Threat Prevention licenses
- SmartConsole with administrator access
- Management Server running R80.x or later
- ThreatCloud connectivity (internet access for threat intelligence updates)
- Adequate gateway resources (CPU, memory, disk space for threat analysis)
- Baseline performance metrics to compare before and after enabling blades
Understanding Threat Prevention Blades
| Blade | Description | Protection Type |
|---|---|---|
| IPS | Intrusion Prevention System - detects and prevents exploits | Signature and behavioral analysis |
| Anti-Bot | Detects and blocks botnet communication | Command & Control detection |
| Anti-Virus | Scans files and traffic for malware | Signature and heuristic scanning |
| Threat Emulation | Sandboxing for zero-day threat detection | Dynamic analysis of suspicious files |
| Threat Extraction | Removes active content from documents | Content sanitization (CDR) |
Step 1: Enable IPS Software Blade
The IPS blade protects against network-based attacks and exploits:
- Open SmartConsole and connect to your Management Server
- Navigate to Gateways & Servers
- Double-click your Security Gateway object
- In General Properties, go to the Network Security tab
- Check the box for IPS
- A wizard may open - follow the prompts to complete initial setup
- Click OK to save the gateway configuration
- Click Publish to save changes
IPS Default Behavior
When you enable IPS, a predefined rule is automatically added to the Threat Prevention policy:
- Protected Scope: Any (all traffic)
- Profile: Optimized (balanced protection and performance)
- Action: According to profile settings
Step 2: Enable Anti-Bot and Anti-Virus Blades
These blades work together to detect malware and botnet activity:
- Double-click your Security Gateway object
- In General Properties > Network Security tab
- Check the box for Anti-Bot
- The Anti-Bot and Anti-Virus First Time Activation wizard opens
- The wizard automatically enables both Anti-Bot and Anti-Virus
- Select initial settings:
- Profile: Optimized (recommended to start)
- Activation Mode: Prevent or Detect
- Click OK to complete the wizard
- Click Publish to save changes
Step 3: Enable Threat Emulation (Sandboxing)
Threat Emulation analyzes files in a sandbox to detect zero-day malware:
- Double-click your Security Gateway object
- In General Properties > Network Security tab
- Check the box for Threat Emulation
- Configure emulation location:
- ThreatCloud - Files analyzed in Check Point's cloud (faster, recommended)
- Local Emulation - Requires dedicated SandBlast appliance
- Click OK to save
- Click Publish
Threat Emulation Considerations
| Consideration | Recommendation |
|---|---|
| Emulation Location | ThreatCloud for most deployments; local for sensitive data |
| File Types | Configure which file types to emulate (executables, documents, archives) |
| User Experience | Consider Hold vs. Background modes for file delivery |
| Evasion Protection | Enable CPU-level emulation for advanced evasion detection |
Step 4: Enable Threat Extraction (Content Disarm)
Threat Extraction removes potentially malicious active content from documents:
- Double-click your Security Gateway object
- In General Properties > Network Security tab
- Check the box for Threat Extraction
- Configure extraction settings in the Threat Prevention policy
- Click OK to save
- Click Publish
Extraction Methods
| Method | Description | Use Case |
|---|---|---|
| Convert to PDF | Converts documents to flat PDF format | Maximum security, some formatting loss |
| Clean | Removes active content, preserves format | Balance of security and usability |
Step 5: Configure Threat Prevention Profiles
Profiles determine how each blade responds to threats:
Default Profiles
SmartConsole includes three built-in profiles that cannot be modified:
| Profile | Description | Recommended Use |
|---|---|---|
| Optimized | Balanced protection and performance | General purpose, most environments |
| Strict | Maximum coverage, may impact performance | High-security environments |
| Basic | Minimal impact, limited coverage | Servers, performance-sensitive systems |
Creating a Custom Profile
- Navigate to Security Policies > Threat Prevention
- Click Profiles in the bottom panel
- Right-click an existing profile and select Clone
- Rename your cloned profile (e.g., "Corporate_Custom")
- Double-click to edit the profile
Configuring Profile Settings
In the profile editor, configure each blade:
IPS Settings:
- General Settings: Configure performance vs. protection balance
- IPS Policy: Select protections to activate
- Update Policy: Configure automatic signature updates
Anti-Bot Settings:
- Confidence Levels: High, Medium, Low
- Actions: Prevent, Detect, or according to protection
- Botnet Families: Specific bot types to detect
Anti-Virus Settings:
- File Types: Which files to scan
- Archive Handling: Scan depth for compressed files
- Engine Updates: Signature update frequency
Threat Emulation Settings:
- File Types: Executables, documents, archives
- Emulation Environment: OS versions to emulate
- Evasion Resistance: CPU-level detection settings
Step 6: Create Threat Prevention Policy
The Threat Prevention policy determines which profiles apply to which traffic:
- Navigate to Security Policies > Threat Prevention
- View the Threat Prevention rule base
- Create or modify rules:
Rule Configuration
| Column | Description |
|---|---|
| Protected Scope | Network objects to protect (hosts, networks, zones) |
| Protection/Site/File/Blade | Specific protections or categories to apply |
| Action | Prevent (block), Detect (log only), or According to Profile |
| Profile | Threat Prevention profile to apply |
| Track | Logging options |
| Install On | Target gateways |
Example Rules
Rule 1 - Strict Protection for Servers:
- Protected Scope: DMZ_Servers group
- Profile: Strict
- Action: Prevent
- Track: Log
Rule 2 - Standard Protection for Users:
- Protected Scope: Internal_Networks
- Profile: Optimized
- Action: Prevent
- Track: Log
Rule 3 - Detect Mode for Testing:
- Protected Scope: Test_Network
- Profile: Optimized
- Action: Detect
- Track: Log
Step 7: Configure ThreatCloud Settings
ThreatCloud provides real-time threat intelligence:
- Go to Manage & Settings > Blades > Threat Prevention
- Click ThreatCloud settings
- Configure:
- Resource Classification: Enable cloud-based file reputation
- Suspected Websites: Block or warn on suspicious sites
- Application Database: Enable application identification
Automatic Updates
Configure how often threat data is updated:
- Go to Manage & Settings > Blades > Threat Prevention > Updates
- Configure:
- IPS Signatures: Recommended - every 2 hours
- Anti-Bot/Anti-Virus: Recommended - every 2 hours
- Threat Emulation: Real-time via ThreatCloud
Step 8: Install Threat Prevention Policy
After configuration, install the policy:
- Click Publish to save all changes
- Click Install Policy
- For IPS changes: Select Access Control policy
- For Anti-Bot/Anti-Virus/Threat Emulation: Select Threat Prevention policy
- Select target gateways
- Click Install
- Monitor installation in the Tasks panel
Important: IPS is installed with Access Control policy; other Threat Prevention blades use a separate Threat Prevention policy installation.
Step 9: Monitor Threat Prevention
Real-Time Monitoring
- Go to Logs & Monitor in SmartConsole
- Select the Threat Prevention view
- Monitor:
- Prevent actions - Threats actively blocked
- Detect actions - Threats detected but not blocked
- Protection name - Specific threat identified
- Severity - Critical, High, Medium, Low
Threat Prevention Dashboard
- Go to Logs & Monitor
- Click the + tab to open the catalog
- Select Threat Prevention dashboard
- View:
- Top attacks by severity
- Malware trends
- Blocked applications
- Bot activity
SmartEvent Integration
For advanced analysis:
- Configure SmartEvent server
- Enable Threat Prevention events
- Access detailed threat analytics and correlations
Troubleshooting Common Issues
High Gateway CPU Usage
Symptoms: CPU spikes after enabling Threat Prevention.
Solutions:
- Review profile settings - switch from Strict to Optimized
- Limit deep inspection to critical networks only
- Exclude high-volume, trusted traffic from inspection
- Check for IPS protections with high performance impact
- Consider hardware upgrade for heavily loaded gateways
False Positives
Symptoms: Legitimate traffic blocked by Threat Prevention.
Solutions:
- Identify the specific protection in logs
- Review the protection details and confidence level
- Create an exception:
- Go to Threat Prevention > Exceptions
- Create an exception for the specific protection and scope
- Report false positive to Check Point for signature improvement
Threat Emulation Delays
Symptoms: Users experience delays when downloading files.
Solutions:
- Switch from Hold mode to Background mode
- Use ThreatCloud emulation instead of local
- Configure caching of emulation results
- Exclude trusted sources from emulation
- Enable Threat Extraction for immediate clean file delivery
Updates Not Installing
Symptoms: Threat Prevention database not updating.
Solutions:
- Verify internet connectivity from Management Server
- Check proxy settings if applicable
- Verify license status includes Threat Prevention updates
- Manually trigger update from SmartConsole
- Review cpwd_admin logs for update errors
Best Practices Summary
| Practice | Description |
|---|---|
| Phased Rollout | Enable blades incrementally, starting with Detect mode |
| Monitor Performance | Baseline before enabling, monitor after each change |
| Regular Updates | Ensure automatic updates are configured and working |
| Exception Management | Document all exceptions with business justification |
| Log Analysis | Regularly review Threat Prevention logs for trends |
| Profile Tuning | Adjust profiles based on your environment's needs |
| ThreatCloud | Ensure consistent cloud connectivity for best protection |
Next Steps
After enabling basic Threat Prevention:
- Tune Profiles - Adjust protection settings based on monitored results
- Enable HTTPS Inspection - Extend protection to encrypted traffic
- Configure Email Security - Protect against email-borne threats
- Integrate with SIEM - Forward logs for centralized analysis
- Implement Incident Response - Define procedures for threat alerts
Additional Resources
- Check Point Threat Prevention Admin Guide
- IPS Software Blade Configuration
- Threat Prevention Profiles
- Check Point CheckMates Community
Need help implementing Check Point Threat Prevention? Inventive HQ provides expert configuration, tuning, and managed threat prevention services. Contact us for a free security assessment.