Threat Prevention

Pedro Amaral in Threat Prevention4 days ago (Show more)

Missing Core Activations and Inspection Settings

Hi Mates, After the upgrade to R80.10 on a MDS, hosting 5 CMAs, we are facing a very strange issue and until now the struggle is huge but no luck on sorting it out. In one of the CMA we need to make some tweaks on “Inspections Settings” for both FTP and MGCP and somehow we don’t have such settings available to manage. In fact we only 9 of them… (Show more)

4 repliesShow more activity

Maarten Sjouw (to Pedro Amaral) 3 days ago (Show more Show less)

For the IPS core, my guess would be that you will need to completely reset all IPS, reload a new database and continue from there. We had some weird problems with IPS a while back and this did the trick.

Actions

Matt Parfitt in Threat Prevention3 weeks ago (Show more)

Content Awareness R80.10 - Blocked request

Content Awareness in R80.10 - A user is trying to download some packages from a program called Unity and some are failing to download. After looking through the logs I repeatedly see a log that is blocking and the reason is 'Blocking request as configured in engine settings of Content Awareness. Reason 1 - Content Awareness - Error while… (Show more)

8 repliesShow more activity

Matt Parfitt (to Kyle Danielson) 3 days ago (Show more Show less)

I'm going back and forth to our vendor, then to CheckPoint support and then back. I'm debating whether to turn on fail-open as this is just using up too much of my time and stopping a lot of users from uploading & downloading files. It seems there's some sort of limit at 200mb, although when running fw ctl get int fileapp_max_upload_file_size it …

Actions

John Paul Hayes in Threat Prevention1 week ago (Show more)

Enabling SandBlast on AWS vSEC server

Hi Folks, We operate a web platform completely hosted in AWS. A new client we have requires that we use Sandblast to scan documents before they are sent to them. Sandblast looks to be the software for the job. The usage scenario is we store the documents in an AWS S3 bucket and have them scanned there. A piece of middleware will send… (Show more)

3 repliesShow more activity

Dameon Welch Abernathy

(to John Paul Hayes) 1 week ago (Show more Show less)

You are looking in the GAIA WebUI, not SmartDashboard, which is where you would configure what Danny suggests. However, for the use case you describe, you might find the following interesting: Protecting AWS S3 Buckets with SandBlast

Actions

Philipp Philippov in Threat Prevention2 weeks ago (Show more)

Exclude Windows updates from Threat Emulation

Hello Guys, What approaches do you use to exclude multitude of .cab files which are part of Windows and Office updates from Threat Emulation without blocking all the .cab files in general? I tried to add a global exception to threat prevention policy based on sites (*.windowsupdate.com and etc), but it seems to me it does not work. I am very… (Show more)

5 repliesShow more activity

Thomas Werner

(to Philipp Philippov) 1 week ago (Show more Show less)

Can you check the log details ? If it does not show "trusted source" or "local cache" here you need to open a ticket. Then we will add the missing servers to our global whitelist which will be automatically updated in your environment. Regards Thomas

Actions

Brianpiraty Alexi in Threat Prevention2 weeks ago (Show more)

IPS protection

Any one has good documentation link for checkpoint IPS configuration R 80.10 with IPS policy update (a) can you describe the Performance impact and confidence level parameters

3 repliesShow more activity

Günther W. Albrecht (to Brianpiraty Alexi) 2 weeks ago (Show more Show less)

Please also look into the IPS Self Help Guide for R80.10 - here, you will find references to sk43733 How to measure CPU time consumed by IPS protections and sk110737 IPS Analyzer Tool - How to analyze IPS performance efficiently as well as for other resources.

Actions

Matt Parfitt in Threat Prevention3 weeks ago (Show more)

Postfix - Recipient address rejected

We are seeing a lot of email being rejected by postfix, some of which is legitimate email that should be delivered. What I'm seeing from the maillog is logs such as the following; NOQUEUE: reject: RCPT from unknown[Our IP Address]: 554 5.7.1 <Internal Email address>: Recipient address rejected: Access denied; from=<External Email Address>… (Show more)

2 repliesShow more activity

Thomas Werner

(to Matt Parfitt) 2 weeks ago (Show more Show less)

Hi Matt, please don´t edit main.cf directly as it will be overwritten at each policy install. Please use this: How to change Postfix configuration for Threat Emulation MTA Can you post more infos on your mailflow ? NOQUEUE: reject: RCPT from unknown[Our IP Address]: 554 5.7.1 <Internal Email address>: Recipient address rejected: Access…

Actions

Mark Holmes in Threat Prevention2 weeks ago (Show more)

Mail Alert and Logging for IPS Protection

Hi, Is it possible for a mail alert to be generated when a specific IPS protection is triggered, as well as logging it to the log? We have SmartEvent R80 but otherwise a dedicated logging and management running R77.30. I'm not finding a clear answer that I can have both mail alerting and for it to be logged at the same time. Thanks

2 repliesShow more activity

Mark Holmes (to Mark Holmes) 2 weeks ago (Show more Show less)

Thanks Alejandro!

Actions

Libin Thomas in Threat Prevention4 weeks ago (Show more)

Multiple Threat prevention profile in R80.10

Team, Can we create Multiple threat prevention profile in R80.10 , One profile with AV & AB blade enabled with prevent action and the other profile is having only IPS enabled .

10 repliesShow more activity

Vladimir Yakovlev (to Oren Koren) 2 weeks ago (Show more Show less)

Profile suggestions as per my previous post: For the rough profiles definitions, we can use "Windows" and "Linux" specific profiles. Under Windows profile category, Servers and Clients (with Servers, omitting the things like Adobe Flash and Reader, IE and other, application specific protections). Under Linux, same breakdown with Server and…

Actions

Jamie Thatcher in Threat Prevention3 weeks ago (Show more)

DLP Regular Expression

Hi CheckMates, I'm trying to pickup a word in DLP using a case sensitive weighted keyword. Ive tried a few variations of regular expressions but none seem to work, Can anyone help? Thanks Jamie

2 repliesShow more activity

Jamie Thatcher (to Günther W. Albrecht) 3 weeks ago (Show more Show less)

Thanks for your reply Günther. As noted above, the SK suggests that the RegEx filtering is not case sensitive. Do you (or anybody) know if there is a different way of achieving the case sensitive filtering? Maybe CPCode? Thanks

Actions

Jan de Gier in Threat Prevention1 month ago (Show more)

IPS Exception question

Hi Checkmates, I recently enabled IPS in detect mode to make sure that I have all false positives removed before enabling in prevent mode. One of the false positives is coming from a monitoring system, that I want to create an exception for. The monitoring system detects "Brute force scanning of CIFS ports". I tried to create a global… (Show more)

13 repliesShow more activity

Jan de Gier (to Dameon Welch Abernathy) 4 weeks ago (Show more Show less)

Thanks Dameon, That might do it. I now have created a custom query: blade:(Anti-Bot OR IPS) NOT "Brute Force Scanning of CIFS Ports" that does basically the same, however if needed I still have the logs for other servers that may be involved in an attack. If I ignore logs for this signature complete, than I lose the logs that I might need…

Actions

Manage

Recent Activity