Threat Prevention | CheckMates

Demith Samaraweera in Threat Prevention3 months ago (Show more)

Hi All We have a situation where R80.10 Mgmt/GW we have created multiple Threat Prevention (TP) rules, each rule with different blade (Profile) enable, e.g. Rule 1- IPS Rule 2 - AV Rule 3 - Threat Prevention Isn't Check Point supposed to go through each and every rule and execute all blades? What we see it just hits the first rule (IPS)… (Show more)

7 repliesShow more activity

Demith Samaraweera (to Timothy Hall) 1 day ago (Show more Show less)

Hi Tim That is great, I just understood what was the issue, I have actually added 3 rules to the same layer thinking I have created 3 separate TE layers Thanks for the explanation.

Actions

Omer Shliva

in Threat Prevention2 weeks ago (Show more)

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output.…

7 commentsShow more activity

Omer Shliva

(to Santiago Platero)2 days ago (Show more Show less)

Santiago, Thank you for your comments. Replacing scripts to improved version is under “procedure for versions R77 and above” in sk43733 and is not specified under “procedure for versions R80.10”. We will update sk43733 so it would be more clear. Regarding “Threat prevention protections”, the tool currently displays only IPS protection…

Actions

Omer Shliva

in Threat Prevention4 days ago (Show more)

Threat Prevention Meta Data

This document defines how severity, performance and confidence levels are assigned to new protections across various threat prevention blades.

Santiago Platero in Threat Prevention5 days ago (Show more)

SMTP encrypted session bypassed, yet attachments are emulated

Hi community long time no see (dunno why these days can't login to CheckMates), I'm seeing some strange things in the Firewall and Threat Emulation logs, but first some context: - R80.20 GA Management - R80.10 Security Gateway, with Threat Emulation blade enabled (emulation occurs in the Check Point Cloud), MTA enabled and imported the SSL… (Show more)

Carlos Jara in Threat Prevention2 months ago (Show more)

How can I avoid "Host Port" scan?

Hi, We have a lot of "Host Port Scan" events in. How can I avoid "Host Port Scan"? In "Core Protecctions" we can only choice between "Accept" & "Inactive". Could youo help me?

9 repliesShow more activity

Berry Smith (to Carlos Jara) 5 days ago (Show more Show less)

This Host port scan provides many features as I know this is Shows the open TCP ports, services, and version information, Includes operating system information and reverse DNS results, The original Nmap output is also included.

Actions

Tomer Sole

in Threat Prevention4 months ago (Show more)

IPS Analyzer Tool - are you running it?

The IPS Analyzer Tool runs on your gateway for a short amount of time, and issues an HTML report of which individual IPS protections took the most CPU and RAM on the gateway during the runtime of the tool. Supported Gateways are R77 and above. For more information go to IPS Analyzer Tool - How to analyze IPS performance efficiently I… (Show more)

5 repliesShow more activity

Omer Shliva

(to Tomer Sole) 2 weeks ago (Show more Show less)

The tool can now be downloaded from here: IPS Analyzer Tool - How to analyze IPS performance efficiently

Actions

Serged7631f0d-a6fd-4106-8d02-849f1cfd08dd in Threat Prevention7 months ago (Show more)

Jump page listing all Check Point vulnerabilities from past years

Hello CheckMakes, I was updating vulnerability management process with recent links point to each vendor dedicated security Advisories page. Did all other firewall vendors without a problem and stumbled into an issue with Check Point. I was not able to find page dedicated to _product_ vulnerabilities. I can not find the way to search for… (Show more)

6 repliesShow more activity

Dameon Welch-Abernathy

(to Bradley Marshall) 2 weeks ago (Show more Show less)

That page should include information about security issues we're planning to patch as well. For example, when we posted the issue about SegmentStack and FragmentStack, we did not have fixes for some of the appliances yet. It may also contain statements about security issues in general technology used in security products (e.g. Bleichenbacher…

Actions

slobodan milidrag in Threat Prevention9 months ago (Show more)

IPS Core protection - I need help to better understand

Dear team, I need your help to better understand IPS Core protections. I found in documentation: IPS Core protections - These protections are included in the product and are assigned per gateway. They are part of the Access Control policy. Why is that ? If IPS Core protections are assigned globally (per gateway), why in Signature I have… (Show more)

10 repliesShow more activity

Dameon Welch-Abernathy

(to Timothy Hall) 2 weeks ago (Show more Show less)

Click on the + in the Source/Destination field of a rule. Select Import > Updatable Objects. You can find updatable objects for: AWS Services Office 365 Country Objects

Actions

Shared by Tal Eisner

from General Product Topics2 weeks ago (Show more)

SandBlast Agent named top endpoint solution by AV-TEST

@Check Point is pleased to announce its SandBlast Agent solution passed AV-TEST Institute’s lab tests with excellent results and has been named a “Top Product” by the independent IT security organization. This announcement comes on the heels of Check Point being named a leader in the Forrester Wave™ Endpoint Security Suites, Q2 2018 report. The… (Show more)

Michael Gonnason in Threat Prevention5 months ago (Show more)

TCP Segment limit enforcement

Does anyone have any details regarding "TCP Segment limit enforcement" is? We are running R80.10 take 70 on all devices. We recently had an issue where our Checkpoint was causing a slowdown in all traffic, which was solved by failing over the cluster. After that I was looking through the logs and saw millions of matches on the IPS… (Show more)

5 repliesShow more activity

awilk99fbe18d-5cf1-4543-9936-535b8747c024 (to Michael Gonnason) 2 weeks ago (Show more Show less)

Regarding impact after disabling a protection: I believe to have read somewhere and/or logically think that disabling this protection will basically allow an attacker to bypass ALL your layer 7 protections in URLF, APCL, IPS, DLP, AV etc.. This is because you would allow passthrough of packets (i.e. bytes, URLs, malware) that contain data that the…

Actions