topic Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point? in Firewall and Security Management

Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Tue, 17 Mar 2026 23:52:43 GMT

Check Point’s Intrusion Prevention System (IPS) is a core component of Threat Prevention, providing proactive protection against a wide range of network threats. Over time, the IPS engine and its signature formats have evolved, leading to the coexistence of "normal" and "version 2 (Ver 2)" signatures. This post explains the technical reasons for maintaining both, their architectural differences, and best practices for deployment.

IPS Architecture Overview

Check Point IPS uses a multi-layered detection engine:

Passive Streaming Library (PSL): Reconstructs network streams for inspection.
Protocol Parsers: Identify and separate protocols (HTTP, FTP, DNS, etc.) for context-aware analysis.
Context Management Infrastructure (CMI): Determines which protections (signatures) apply to each protocol context.
Pattern Matcher: The detection engine that uses signatures to identify malicious patterns.

IPS Inspection Flow Diagram

Traffic is processed through multiple analysis stages, with signatures applied at different protocol layers.

Normal vs. V2 Signatures: Technical Comparison

Feature	Normal Signature	V2 Signature (INSPECTv2)
Detection Engine	Classic Pattern Matcher	INSPECTv2 (advanced engine)
Coverage	Known threats	New threats, evasive techniques, improved accuracy
Performance	Lower resource usage	May require more CPU/memory, but optimized for accuracy
Compatibility	Legacy gateways	Modern gateways (R80+)
Update Frequency	Less frequent	Updated regularly

Normal Signatures: Use traditional pattern matching, suitable for legacy environments and lower resource consumption.

V2 Signatures: Leverage the advanced INSPECTv2 engine, supporting complex logic, context awareness, and better detection of modern threats.

Why Maintain Both Signature Types?

Backward Compatibility: Some older gateways may not support V2 signatures. Keeping both ensures all devices remain protected.
Redundancy: If a V2 signature causes issues (e.g., false positives), the normal signature can provide fallback protection.
Gradual Migration: Allows administrators to test V2 signatures in "Detect" mode before fully switching from normal signatures.
Maximum Coverage: Certain threats may only be detected by one signature type, so using both maximizes security.

Performance Considerations

V2 signatures can be more resource-intensive due to deeper inspection and advanced logic.
IPS Tuning: Administrators can enable/disable specific signatures or use different profiles for perimeter vs. internal gateways.
Bypass Under Load: IPS can be configured to bypass traffic during high load to prevent bottlenecks, but this should be used cautiously.

Best Practices for Managing Signature Versions

Test in Staging: Always test new V2 signatures in a non-production environment.
Monitor Updates: Review IPS update notes and apply urgent protections as needed.
Separate Profiles: Use different IPS profiles for different gateway roles (e.g., perimeter vs. datacenter).
Monitor Logs: Watch for false positives/negatives and adjust protections accordingly.
Gradual Rollout: Deploy V2 signatures in "Detect" mode before moving to "Prevent."

Summary

Normal signatures ensure compatibility and stability.
V2 signatures provide enhanced detection and future-proofing.
Maintaining both allows for a safe, flexible, and comprehensive security posture during transitions and upgrades.

References

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

PedroMacena24 — Wed, 18 Mar 2026 17:12:05 GMT

Crushed it!

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

the_rock — Wed, 18 Mar 2026 17:16:42 GMT

So good, as always.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

Timothy_Hall — Wed, 18 Mar 2026 17:20:35 GMT

Thanks @WiliRGasparetto, the recommendation to keep both versions of a signature active did make it into the Check Point Threat Prevention Specialist class, but there wasn't a clear explanation for why.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Wed, 18 Mar 2026 23:43:49 GMT

Is the material already released? Is it version 81.20? If it hasn't been released, you can take the text and use it.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Wed, 18 Mar 2026 23:46:26 GMT

I had a good teacher who taught me how to make good posts.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Wed, 18 Mar 2026 23:47:23 GMT

thk's bro

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

the_rock — Thu, 19 Mar 2026 00:20:17 GMT

Im 100% sure it was NOT me 😂

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Thu, 19 Mar 2026 03:36:48 GMT

Reconsider your concepts because it is indeed true, hehe.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

ccsjnw — Thu, 19 Mar 2026 12:01:27 GMT

Does anything need to be done to enable the V2 variant of IPS ?

We're running R82 with Jumbo Hot Fix Accumulator Take 60.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

the_rock — Thu, 19 Mar 2026 12:31:26 GMT

I dont believe so. As long as blade is enabled and updated, you should be good to go.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Thu, 19 Mar 2026 17:06:07 GMT

Starting with Check Point version R82, the IPS Engine 2.0 (also called IPS version 2) is natively enabled in the system. In other words, it is not necessary to install any specific Jumbo Hotfix (such as Take 60) to activate or use the IPS Engine 2.0 in this version.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Thu, 19 Mar 2026 17:06:47 GMT

exactly

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

the_rock — Thu, 19 Mar 2026 17:08:02 GMT

I wondered at one point if it had to be enabled, but since I could not find it anywhere, logically assumed it was enabled by default.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Fri, 20 Mar 2026 01:30:34 GMT

yes

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

asafebelo — Mon, 23 Mar 2026 13:18:44 GMT

Congrats, Wili!! Excellent post

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Mon, 23 Mar 2026 21:32:48 GMT

thank's bro

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

constant69 — Tue, 24 Mar 2026 06:41:57 GMT

Hello,

In the best practices for Managing Signature Versions, it is recommended to test V2 signatures in a non-production environment or to deploy them in Detect Mode.

I have a question that may sound a bit silly: how can a “V2 UP signature” be identified in SmartConsole?

In SmartConsole, I could not find any filters that allow sorting by IPS signature version.

And when I view the details of an IPS signature (as in the screenshot below of a recent signature), I cannot find any information indicating whether it is a Normal or V2 signature

Thank you in advance for your insights.

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

Daniel_ — Tue, 24 Mar 2026 06:59:35 GMT

The link to "Threat Prevention Administration Guide (R81+)" is not working (for me). I get "Not found"

Re: Technical Deep Dive Why Maintain Both Normal and V2 IPS Signatures in Check Point?

WiliRGasparetto — Tue, 24 Mar 2026 17:57:42 GMT

Your question is not silly at all! @constant69 Most people I know don't know how to see that.

A step-by-step guide on how to find version 2 in an IP signature.

You need to open the SmartConsole.

Go to Security Policies.

Then go to Threat Prevention.

Open Custom Policy.

In the lower-right corner, go to IPS Protections.

In the lower-left corner, go to ThreatCloud and select the checkbox.

At that point, you will need to look for the signature where you want to check version 2, or you can use the filter in the upper-left corner to filter by version 2, and you will see all available version 2 signatures.

From this stage, you can take whatever actions you prefer.