https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162409#M28873 <P>Review the IPS Protections for yourself to see what will be blocked.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="85CFBAE2-AE6C-46E0-BF5B-656F9C02A4A6.jpeg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18456iF719028E9E9D0A83/image-size/large?v=v2&amp;px=999" role="button" title="85CFBAE2-AE6C-46E0-BF5B-656F9C02A4A6.jpeg" alt="85CFBAE2-AE6C-46E0-BF5B-656F9C02A4A6.jpeg" /></span></P> <P>What is your precise definition of “massive TCP connections”?<BR />If you’re concerned about that happening, you can use the ratelimiting functions.&nbsp;<BR />See:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-DDoS-fw-sam-vs-fwaccel-dos/td-p/41525" target="_blank">https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-DDoS-fw-sam-vs-fwaccel-dos/td-p/41525</A><BR /><BR /></P> Thu, 17 Nov 2022 23:28:10 GMT PhoneBoy 2022-11-17T23:28:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162266#M28843 <P><SPAN>Can Checkpoint&nbsp;5200 PB-20 IPS assess the content from incoming packets for Mysql database server (port 3306)? If the packet is according to a real Mysql packet then this can be forwarded to the database server, otherwise it will be dropped. The idea is to avoid DDOS attacks by sending massive TCP connections to Mysql server by Telnet or another application.</SPAN></P> Wed, 16 Nov 2022 19:27:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162266#M28843 userLearnCP 2022-11-16T19:27:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162290#M28844 <P>Yes, it can.<BR />However, I’m curious why the concern about DDoS since a MySQL server should only be accessed from specific hosts, not generally accessible from the Internet.<BR />While we can do some rate limiting and such if required, if you’re really concerned about DDoS,&nbsp;Check Point sells specific solutions for this.</P> Wed, 16 Nov 2022 21:24:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162290#M28844 PhoneBoy 2022-11-16T21:24:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162294#M28845 <P>My suspect it's not about someone from outside but It's someone from inside who can execute it from these specific hosts even.</P><P>&nbsp;</P><P>I have the following questions:</P><P>1) By customizing Threat Prevention with IPS would help in case of malformed mysql packets?</P><P>2) There is an option of 'IPS Protections' from SmartConsole. Can one of these protections match about the&nbsp;case I explained?</P> Wed, 16 Nov 2022 22:31:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162294#M28845 userLearnCP 2022-11-16T22:31:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162409#M28873 <P>Review the IPS Protections for yourself to see what will be blocked.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="85CFBAE2-AE6C-46E0-BF5B-656F9C02A4A6.jpeg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18456iF719028E9E9D0A83/image-size/large?v=v2&amp;px=999" role="button" title="85CFBAE2-AE6C-46E0-BF5B-656F9C02A4A6.jpeg" alt="85CFBAE2-AE6C-46E0-BF5B-656F9C02A4A6.jpeg" /></span></P> <P>What is your precise definition of “massive TCP connections”?<BR />If you’re concerned about that happening, you can use the ratelimiting functions.&nbsp;<BR />See:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-DDoS-fw-sam-vs-fwaccel-dos/td-p/41525" target="_blank">https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-DDoS-fw-sam-vs-fwaccel-dos/td-p/41525</A><BR /><BR /></P> Thu, 17 Nov 2022 23:28:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162409#M28873 PhoneBoy 2022-11-17T23:28:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162491#M28904 <P>Thanks for the picture and the link.</P><P><SPAN>What is your precise definition of “massive TCP connections”?</SPAN></P><P><SPAN>- I mean multiple TCP connections. I tried to mention it as a synonym. These connections are associated with packets.</SPAN></P> Fri, 18 Nov 2022 19:57:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-Checkpoint-5200-PB-20-IPS-can-inspect-Mysql-packets/m-p/162491#M28904 userLearnCP 2022-11-18T19:57:43Z