Support Center > Search Results > SecureKnowledge Details
Threat Emulation Sizing Mode: how to measure the required inspections at an organization
Solution

(1) Introduction

Threat Emulation's "Sizing mode" is a tool for monitoring real-time file inspections in an organization, allowing for the assessment of the required Threat Emulation quota size.

Activating Sizing Mode in Threat Emulation will enable full statistics, including the number of files filtered by the local cache and static analysis, and the number of files that would be emulated by the normal operation of the blade. This information can assist you in deciding which appliance is the most suitable for handling the blade work.

(2) Enabling Sizing Mode

  1. Enable the Threat Emulation Blade in the Security Gateway object and install the policy.
  2. Run the following command in Expert mode: tecli control sizing enable.

Notes:

  • A warning will be displayed during policy installation indicating that Sizing Mode is active.
  • This command survives reboot.

(3) Disabling Sizing Mode

  • Run the following command in Expert mode: tecli control sizing disable.

Note: This command survives reboot.

(4) Sizing Mode status

Sizing Mode will preserve its status even when a policy is installed or the Threat Emulation Blade is disabled. Changes to the Sizing Mode status can be done only in the command line.

  • Run this command in Expert mode: tecli control sizing status

(5) Statistics, Cache and Logs on Sizing Mode

  • Statistics and Cache will be cleared every time the Sizing Mode status is changed.
  • When Sizing Mode is enabled, statistics will not be sent to Check Point ThreatCloud.
  • IMPORTANT: Logs and Statistics will show that all files were emulated on ThreatCloud, with a verdict of "benign". These are not necessarily the actual verdict and location of analysis - these are presented when Sizing Mode is enabled. The reliable information provided in this mode is where the verdict of the file will be set in normal operation - local cache, static analysis or emulation.

(6) Using Sizing Mode

There are two ways to view the statistics provided by Sizing Mode:

  • Run the following command in Expert mode: tecli show statistics
  • Use SmartView Monitor, and follow the Threat Emulation link to view all the available statistics.

Note: When Sizing Mode is enabled, files are not emulated, only counted. If the file's verdict was determined by static analysis, it is benign. If not, it will be counted as a benign file emulated on ThreatCloud. Statistics will show you how many files were filtered by the local cache and how many files were filtered by the static analysis tool. The rest of the files were not emulated, but counted as benign files.

ThreatCloud Emulation Service (Sandboxing)

Monthly Quota 10,000 50,000 150,000 400,000 1,000,000
Recommended Users 0-150 150-500 300-1,500 1,000-5,000 3,000+


Threat Emulation Appliances: TE250, TE1000, TE2000

Note: Refer to this datasheet.

  TE250 TE1000 TE2000
Recommended number of Files/Month 250,000 1,000,000 2,000,000
Recommended number of Users up to 3,000 3,000+ 10,000+
Throughput (Mbps) 691 2,032 4,000
Number of Virtual Machines 8 28 56


Threat Emulation SandBlast Appliances: TE100X, TE250X, TE1000X, TE2000X

Note: Refer to this datasheet.

  TE100X TE250X TE1000X TE2000X TE2000X HPP
Recommended number of Files/Month 100,000 250,000 1,000,000 1,500,000 2,000,000
Recommended number of Users up to 1,000 up to 3,000 up to 10,000 up to 20,000 up to 20,000
Throughput (Mbps) 150 700 2,032 4,000 4,000
Number of Virtual Machines 4 8 28 40 56


(7) Related solutions

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment