topic Re: What are IPS Staging Protections? And how do we clear them? in Firewall and Security Management

What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Tue, 13 Sep 2016 08:10:55 GMT

In R80, following an IPS Update, newly downloaded protections are marked in "staging". This means that if their state according to the profile is Prevent or Detect, as long as the user doesn't clear the flag, it's marked as "Detect (staging)" with a little clock icon on top of it. Protections that should be inactive remain inactive.

The plan is that you can keep them in staging until you decide whether they should behave according the profile's settings, or override them with a different action, for example based on traffic after policy installation.

From the IPS Protections view, you can filter protections to only show the ones that are in Staging.

You can control this setting from the Profile Editor:

Clearing protections from Staging can be done from the IPS Protections view.

Please note that in order to change the staging counter, you have to clear a protection from staging in all IPS profiles, not just the ones that are seen on the screen. So either change the visible profiles to “all”:

or make sure you clear the staging status from all profiles by right-clicking the protection and selecting “restore to profile settings”.

Re: What are IPS Staging Protections? And how do we clear them?

Brian_Deutmeyer — Tue, 18 Apr 2017 20:47:48 GMT

It appears the Clear staging option is grayed out and cannot be selected. How do I clear the staging without doing the restore to profile option?

Re: What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Tue, 06 Jun 2017 09:37:46 GMT

I apologize for not seeing this sooner.

I'm not sure what you mean, clearing the staging de facto restores the activation to the profile's setting... Is there something else that you wish to do there?

Re: What are IPS Staging Protections? And how do we clear them?

Vladimir — Mon, 18 Jun 2018 00:04:31 GMT

Tomer,

I do not see any protections in "Detect" or "Staging" status on any protections in the profile cloned from "Optimized", after updates are downloaded :

Even with "Additional Activation" enabled, I still expect to see the low confidence in "Detect" if not "Staging"

But there are none in those states present. When filtered by "Low Confidence", all protections are disabled.

I am also not seeing filters for "Activation Status" even when it is selected:

Any ideas?

Re: What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Mon, 18 Jun 2018 04:01:27 GMT

Is the profile being used by the policy? Or is it hidden from the view since it's not in use?

Re: What are IPS Staging Protections? And how do we clear them?

Vladimir — Mon, 18 Jun 2018 12:25:51 GMT

This is the active profile used in the Policy:

Re: What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Mon, 18 Jun 2018 16:55:06 GMT

this shouldn't happen.... please open a support ticket so that we will have an R&D team looking at the issue.

Re: What are IPS Staging Protections? And how do we clear them?

Vladimir — Tue, 19 Jun 2018 01:37:13 GMT

Opened 3-0371393181.

If you could help facilitating its resolution, I'll be much obliged.

So far, no dice. To make things even more interesting, I've just pulled the IPS update on my second Management server in a separate infrastructure and am looking at identical situation.

Unless I am exceptionally lucky, I suspect that something is changed in the way updates are behaving.

To summarize:

1. When multiple profiles, including three stock profiles are filtered to show a "low confidence" protections, only "Strict" has them in "Detect" or "Staging" modes:

2. There are no traces in the Audit Log that would indicate any changes to the behavior of the protections prior to the update that borked them:

The stock profiles were untouched and the only profile that was subjected to any kind of manipulation was the clone of the "Optimized with TE and TX removed:

The breakdown of the "Optimized_wo-TE_TX":

Does not show anything that could cause it behave the way it does.

Same goes for the original "Optimized" and "Basic".

The update that triggered this behavior is 635183954 on one of the management servers prepped for deployment:

And the same update caused same issues in another POC environment:

"Switch to version" earlier than 63513954, after application of that update, does not revert protections in "Basic", "Optimized" and clone of "Optimized" to "Detect" mode.

"Profile cleanup" with "Remove all user modified" does not revert it to normal state as well.

Has anyone seen similar behavior before or are seeing it now?

Thank you,

Vladimir

Re: What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Tue, 19 Jun 2018 16:09:33 GMT

Hi,

The reason why those are in Inactive is due to the tag "Threat Prevalence:Rare". All protections with Confidence:Low are tagged with "Threat Prevalence:Rare". The 2 profiles that you mentioned have "Threat Prevalence:Rare" in the Protections To Deactivate section.

I want to thank Raz Shlomo for explaining. Let's continue discussing these questions over this thread.

Re: What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Tue, 19 Jun 2018 16:12:54 GMT

There is something I didn't mention.

The protections that are received the first IPS Update in every Management Domain, you know, when you jump from the initial 200 to the 9k protections, are not marked in Detect(Staging). This mechanism also works from the 2nd update and on. The purpose was to spare the need to clean the staging status from the 9k-200 protections that you download initially.

Re: What are IPS Staging Protections? And how do we clear them?

Vladimir — Tue, 19 Jun 2018 16:51:50 GMT

Thanks Tomer Sole Sole and Raz Shlomo for expanding on explanation for the protections behavior.

The problem that I have with this, is that there is not a single protection left with "Detect" in the "Optimized" and "Basic" after above mention update irrespective of the confidence level.

The "Low Confidence" was selected for simplicity and because in the profile definition, it is explicitly states that "Low Confidence" should be in "Detect" mode.

I understand their absence from "Detect(Staging)", but after first update, the only modes displayed are "Disabled" and "Protect".

TAC was able to verify my findings and are reaching out to R&D for information about this behavior.

Re: What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Tue, 19 Jun 2018 17:21:56 GMT

On your second IPS Update and so on, newly downloaded protections will be in Detect(Staging) even if according to the profile they should be in Prevent.

I understand your point regarding the confusion at Low Confidence.

Re: What are IPS Staging Protections? And how do we clear them?

Vladimir — Wed, 20 Jun 2018 21:48:48 GMT

New protections in the second and onward updates are in the Detect(Staging), but there are no protections after the first update in "Detect" only mode, regardless of the confidence level, except in the "Strict" profile.

Re: What are IPS Staging Protections? And how do we clear them?

Tomer_Sole — Thu, 21 Jun 2018 04:26:18 GMT

Looking at your profile settings:

Things are only in Detect if:

- the protection is newly-downloaded AND the IPS Update is not the first one

- Confidence Level is Low AND not tagged with the excluded tags Threat Prevalence:Rare or Threat Prevalence:Obsolete --> which currently means no protection since all low-confidence protections are auto-tagged with Threat Prevalence:Rare.

This is good feedback though and we will consider giving more cues in the user interface regarding "final action".