topic Re: Efficient way to disable several hundred IPS protections that do apply to our environment in Firewall and Security Management

Efficient way to disable several hundred IPS protections that do apply to our environment

FM — Tue, 24 Nov 2020 17:15:57 GMT

1. What is the the most efficient way to disable several hundred IPS protections that do apply to our environment? We are trying to avoid the use of manual method such as shown in the attached screenshot.

2. Can you also share a strategy how to apply different list of IPS rules for the External and Internal Policy. For example, IPS protections that the attack requires that the vulnerable system be exposed to the internet should not be applied to the internal firewall policy.

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

AlejandroH — Tue, 24 Nov 2020 18:52:42 GMT

You can create a profile for the specific area you are protecting, and inside the properties of that profile you can deactivate protections for specific vendors, products, etc...

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

FM — Tue, 24 Nov 2020 19:37:31 GMT

Thank you for sharing the info!

Is their a way to identify IPS protections based on their applicability to the internal network that is behind the internal firewall? For example based a category of attack types; SQL injection, XSS, etc?

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

AlejandroH — Tue, 24 Nov 2020 20:09:10 GMT

Normally the best way to address the needs for protections in the different parts of the network is entirely around a few things:

1. Asset management: Knowing what assets are in different parts of the environments based of change control requirements in your organization.

2. Vulnerability assessments: If you are running a vulnerability scanning tool (Rapid7, Nessus, OpenVAS) you can look at the assets in the network and build your IPS profile with what is in that part of the environment.

3. Tailored Safe: If you are running R80.30+, you can enable SmartExtension called Tailored Sage and it will build a profile around the hits in your logs. You can just validate the IPs with what services are out there. https://community.checkpoint.com/t5/SmartEvent/IPS-Utilization/m-p/100329

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

FM — Tue, 24 Nov 2020 21:14:07 GMT

1. We do run vuln scan with Rapid7. What kind of report can run to identify the assets in the environment?

2. Can I use SCCM?

3. I will read the documentation on "Tailored Sage". Our management gateways are R80.40 but the blades are at R80.20.

Finally, how can disable, the several hundred non-applicable IPS protections which are in the current profile, other than by selecting each protection one by one manually? --For example using a csv file

Thank you.

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

PhoneBoy — Tue, 24 Nov 2020 23:05:01 GMT

The most efficient way to disable a bunch of protections is via the API.
On the other hand, why do you feel this is necessary?

If your logic is: better performance with less signatures, you won’t achieve better performance by doing this since most of the performance impact comes from turning on IPS to begin with, not necessarily the specific signatures used (though high/critical performance impact ones will).
If your logic is: reducing false positives, false positives may still be a thing even if you disable all those “irrelevant” signatures.
False positives can be dealt with as needed with exceptions in any case.

I don’t see what’s gained by going through the exercise.

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

Timothy_Hall — Tue, 24 Nov 2020 23:06:52 GMT

There are a lot of bulk operations that can be easily performed on collections of IPS signatures that are not immediately obvious, the following is excerpted from my "IPS Immersion" self-guided video series.

There are many hidden columns on the IPS Protections screen that can be revealed and then used to sort protections, I find the "Vendor" and "Product" ones very useful:

The Filters tab on the right is useful and well, and can have extra filtering criteria unhidden by clicking the "+" character, note the hidden vendor and product lists as well:

Once you get the desired list of protections displayed by using the various "Filter" tab checkboxes and even the search field above, and you want to perform a bulk operation upon all of those currently displayed, you can set all of them to Protect, Detect, or Inactive from the Actions menu with one click as shown below; these operations can be run on hundreds or even thousands of IPS Protections.

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

FM — Wed, 25 Nov 2020 15:16:42 GMT

Both reasons:
1. Reduce the specific signatures with performance impact.

2. And also reduce FPs for products or versions we do not have.

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

FM — Wed, 25 Nov 2020 15:44:12 GMT

Your post contains valuable information.

Is their any other strategy to define IPS protections based on whether the attack surface needs to be exposed to the internet for the attack to succeed or is unreachable because it is behind the internal IPS blade and the firewall?

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

Timothy_Hall — Wed, 25 Nov 2020 18:40:22 GMT

Not entirely sure what you are asking, but each IPS Protection is defined as either a "client" or "server" attack; you can expose this hidden header and then sort Protections by client/server to bunch them up for a bulk operation. The client/server designation is unfortunately not available on the Filters tab though.

Server attacks would normally be initiated inbound from the Internet against your server which has some exposure to the Internet, although obviously a server-based attack could be launched from the inside as well. Client attacks usually occur when an internal system visits or is tricked into visiting a malicious website, which then tries to exploit a vulnerability in the client's browser, and shove some kind of malicious code onto the client's machine for execution. So Server attacks would definitely qualify as "exposure" to the Internet, but really so would Client based ones, the connection just happens to be initiated by your internal client.

So I guess it depends on what you mean by "exposure".

Re: Efficient way to disable several hundred IPS protections that do apply to our environment

FM — Wed, 25 Nov 2020 16:43:15 GMT

You answered my intended question by elaborating it in your explanation.

Thank you!

-Faisal