Threat Prevention | CheckMates

Enis Dunic in Threat Prevention6 days ago (Show more)

IPS inspection requires additional CPU and memory resources to handle the incoming packets. If your CPU utilization is under heavy load IPS inspection will be disabled. From CheckPoint: Special IPS Bypass mechanism automatically disables all IPS protections (by placing them under exception), when it detects that the certain CPU utilization… (Show more)

6 repliesShow more activity

Daniel Moore (to Enis Dunic) 20 hours ago (Show more Show less)

Tuning this is extremely difficult in complex environments, that said letting risk management asses really doesn't apply from my perspective. Taking ddos into account which in the traditional sense is more about server overload; then compromise attacks. With the amount of scanning on the internet today, and how quick it is to find an attack…

Actions

Kris Meldrum in Threat Prevention7 days ago (Show more)

IPS policy installation timestamp

Hi All, I'm looking for a way within R80.10 to see a timestamp for when the last Threat Prevention (but more specifically, IPS) policy was installed. I know I can see firewall through fw stat. IPS stat only shows me that it is enabled and the signature update number which doesn't help for my use case. Is there a way to see when IPS or Threat… (Show more)

7 repliesShow more activity

Kris Meldrum (to Tomer Sole) 21 hours ago (Show more Show less)

Exactly! I need a way to verify outside of the management what policy is running on the gateway. If it is the Check Point way, then why did Check Point build a command to view the firewall policy name and install time into the gateway?

Actions

Thomas Kundig in Threat Prevention1 day ago (Show more)

Sandblast - ICAP on r80.10

Dear all, I would like to activate ICAP server on a Sanblast appliance in r80.10 managed by a management also in r80.10. The only documentation that I find is to activate on the r77.30 or on a r80.10 but managed by a R80.20. ICAP and Sandblast Appliance … (Show more)

4 repliesShow more activity

Heiko Ankenbrand (to Thomas Kundig) 24 hours ago (Show more Show less)

Hi Thomas, you can found a integration overview in following articles: ICAP and Sandblast Appliance Symantec (Bluecoat) SG ICAP and Sandblast (TEX) Fortigate Firewall ICAP and Sandblast (TEX) (better use a Check Point firewall:-) McAfee Web Gateway ICAP and Sandblast Appliance (TEX) Or ask Thomas Werner, he is a very good Check…

Actions

Olga Kuts in Threat Prevention5 days ago (Show more)

IPS Signature for CVE-2017-3737

Hello! Is it planned to releaze an IPS signature for CVE-2017-3737?

6 repliesShow more activity

Günther W. Albrecht (to Dameon Welch Abernathy) 4 days ago (Show more Show less)

CP has its own sk92447 Status of OpenSSL CVEs that does not list this CVE - and the command for checking OpenSSL version by rpm returns nothing on R80.10: # rpm -qa | grep openssl

Actions

Shivajith S in Threat Prevention6 days ago (Show more)

Hi Experts ,Any one can guide

May I know how to block IPS based for Countries to block outside access to Particular segment . My scope is I need to block for VPN segment ,for example lets say my user are in UK ,I need to block access from china ,In IPS based ...how to apply this ..

3 repliesShow more activity

Gomboragchaa Jamganjav (to Shivajith S) 4 days ago (Show more Show less)

To create a new Geo Policy: In R80 SmartConsole, go to the Security Policies page. In the Shared Policies section, click Geo Policy. From the drop-down Edited Policy menu, select New. In the Object Name window that opens, enter a name for the new Geo Policy. Click OK. Select an Activation Mode:Active - Policy is enabled Monitory Only - Traffic…

Actions

Bruce Pruitte in Threat Prevention6 days ago (Show more)

IPS Geo-Policy Whitelist by Domain Name

Trying to see if I can create a exception by domain name so sites that are hosted in countries that are blocked can still be accessed. Running into issue to where sites hosted in the cloud are getting blocked when they are being hosted in countries that are blocked via geo policy.. Thanks for any and all responses.. Bruce

3 repliesShow more activity

Heiko Ankenbrand (to Bruce Pruitte) 5 days ago (Show more Show less)

Hi Bruce, you can use my script to use GEO objekts in firewall access rules. GEO Location Objects in Firewall Policy (with Dynamic Objects) Regards, Heiko

Actions

Dameon Welch Abernathy

in Threat Prevention6 days ago (Show more)

IPS Ease of Use in R80.20 TechTalk

As a follow-up to our Check Point R80.20 Demo TechTalk and Q&A session, we demonstrated the numerous usability enhancements with IPS Management and Gateway that are coming with the R80.20 release. Experts from R&D answered your IPS-related questions as well! Tomer Sole Smadi Paradise Ofir Israel Raz Shlomo Avishai Duer As this was… (Show more)

1 replyShow more activity

Tomer Sole

(to Dameon Welch Abernathy) 6 days ago (Show more Show less)

Hi, In this talk we mainly discussed the changes with IPS in R80.20. Some links: Link description Link The R80.20 EA Program Check Point R80.20 Production and Public EA Which policy to install when making IPS changes depending on the version of your gateway What is the roadmap for Threat Prevention Policy management? IPS Best Practices…

Actions

Amit Singh in Threat Prevention1 week ago (Show more)

IPS Protection signatures with same name having diff. CVE number

My question is related with IPS Protection signatures. I can see same protection name with number of times having different CVE number. As i understand that these protection release on the basis of respective windows version but If i select only latest release of signatures in Detect/Prevent , does it cover rest of release too of same protection… (Show more)

2 repliesShow more activity

Amit Singh (to Enis Dunic) 1 week ago (Show more Show less)

Thank you Enis for information. This is helpful.

Actions

Prashan Attanayake in Threat Prevention10 months ago (Show more)

Packets get drop

what is the reason for happen this ? ;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 x.x.x.x:30730 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN; ;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:30731 -> 10.2.200.50:80 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;… (Show more)

9 repliesShow more activity

SVEN.1ed54ed4-2409-4ee0-b942-4bf8a5ceb750 (to Dameon Welch Abernathy) 1 week ago (Show more Show less)

Hey Dameon, thanks for this advice. I will check this out and keep you posted. Thanks Sven

Actions

Carlos Jara in Threat Prevention1 week ago (Show more)

How can I avoid "Host Port" scan?

Hi, We have a lot of "Host Port Scan" events in. How can I avoid "Host Port Scan"? In "Core Protecctions" we can only choice between "Accept" & "Inactive". Could youo help me?

3 repliesShow more activity

Vladimir Yakovlev (to Carlos Jara) 1 week ago (Show more Show less)

Use options 4 or 5, depending on the desired outcome.

Actions