topic Re: IPS Core Inspection and Custom Policy Exception Rule in Firewall and Security Management

IPS Core Inspection and Custom Policy Exception Rule

starmen2000 — Wed, 14 Feb 2024 16:08:23 GMT

Hi Mates,

Quick question, What is the difference between adding an exception rule in Shared Policies->Inspection Settings->add exception and Threat Prevention -> Custom Policy-> Add exception

Thanks

Re: IPS Core Inspection and Custom Policy Exception Rule

the_rock — Wed, 14 Feb 2024 16:26:27 GMT

Inspection Settings - General

What can I do here?

Use this window to view Threat Prevention protections and their settings.

For configuring individual inspections, see: Inspection Settings

Getting Here - Manage & Settings > Blades > General > Inspection Settings > General

Inspection Settings

You can configure inspection settings for the Firewall:

Deep packet inspection settings
Protocol parsing inspection settings
VoIP packet inspection settings

The Security Management Server

comes with two preconfigured inspection profiles for the Firewall:

Default Inspection
Recommended Inspection

When you configure a Security Gateway

, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

To activate the Inspection Settings, install the Access Control Policy.

Note - In a pre-R80 SmartConsole

, Inspection Settings are configured as IPS

Protections.

*****************************************************************

Exception is more to do with omitting, if you will, specific subnet/group from being "checked" or exempted from specific IPS or av/ab blades protections

Thats at least how I understand it, but if Im wrong, Im sure someone will correct me 🙂

Best,

Andy

Re: IPS Core Inspection and Custom Policy Exception Rule

starmen2000 — Wed, 14 Feb 2024 20:00:36 GMT

It looks complicated, but if I want to make an exception for ISP, do I need to do it in Custom policy - add exception rule or shared policy - inspection settings - add exception?

Re: IPS Core Inspection and Custom Policy Exception Rule

the_rock — Wed, 14 Feb 2024 20:27:30 GMT

Its its strictly IPS, then you do it from custom policy field. The inspection stuff is mostly for deep packet inspection, I would say. Thats what I remember from old says, even R55 version. It was way different of course, but same principle.

Best,

Andy

Re: IPS Core Inspection and Custom Policy Exception Rule

Timothy_Hall — Thu, 15 Feb 2024 13:39:12 GMT

There are really 3 kinds of what most administrators would consider IPS Protections or "Signatures", each with their own separate exception mechanism. Adding an exception in one of these categories will not impact the other two. Trying to manually add an exception in one of these three categories will almost always be in the wrong one and not do what you want, so the recommendation is to add them by clicking the "Add Exception..." hyperlink in the log card which will always take you to the correct exception category:

1) Inspection Settings - part of Access Control/Firewall blade and enforces secure protocol behavior (146 fixed items)

2) IPS ThreatCloud Protections - Typical IPS blade protections that look for a certain known exploit, and can be updated and added onto with updates from the ThreatCloud (12,800+ items)

3) IPS Core Activations - 39 special signatures that for technical reasons straddle Access Control and Threat Prevention and can be notoriously difficult to deal with (39 fixed items)