https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209114#M39628 <P>Thats an excellent reference.</P> <P>Andy</P> Tue, 19 Mar 2024 13:29:37 GMT the_rock 2024-03-19T13:29:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209039#M39607 <P>Hi All,</P><P>Customer want me to configure the IPS update to be in Detect Mode<BR />rather than in prevent mode. They want me to review the traffic for one week<BR />before configring to Prevent mode.</P><P>My humble Question is<BR />"How do I determine business impact of new IPS signatures against traffic<BR />hits when in Detect Mode."</P><P>I have to give customer report and move the IPS Signature into Prevent mode after a week.</P><P>&nbsp;</P><P>Regards,</P><P>Olu</P> Mon, 18 Mar 2024 15:57:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209039#M39607 OLU_TSC 2024-03-18T15:57:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209043#M39609 <P>You have to analyze the Detects to see if they involve any critical clients/servers as a starting point.<BR />A protection that triggers regularly might be a false positive and/or might need further testing in Prevent mode in the lab before enabling in production.</P> Mon, 18 Mar 2024 16:25:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209043#M39609 PhoneBoy 2024-03-18T16:25:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209057#M39611 <P>Thanks PhoneBoy,</P><P>Can you please give an idea of how to analyse the Detect please.</P><P>example&nbsp;blade:IPS action:Detect XXXXXXXXX? What else can i use.</P><P>Thanks</P> Mon, 18 Mar 2024 17:11:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209057#M39611 OLU_TSC 2024-03-18T17:11:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209070#M39615 <P>That starts with knowing what the actual source and destination are and what applications are involved.<BR />A signature that triggers for an application that isn't on the source/destination might be a false positive.<BR />A lot of Detects for a given signature/source/destination may indicate a false positive also.</P> Mon, 18 Mar 2024 23:09:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209070#M39615 PhoneBoy 2024-03-18T23:09:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209072#M39616 <P>We did this for client that became CP customer back in 2021 and we showed them that after 2 weeks of IPS being in detect mode, there were no false positives, which is good time to turn on optimized profile.</P> <P>You can also use built in IPS report if you turn on smart event blade on the mgmt server.&nbsp;</P> <P>Best,</P> <P>Andy</P> Tue, 19 Mar 2024 00:49:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209072#M39616 the_rock 2024-03-19T00:49:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209111#M39626 <P>You could enable IPS in detect only mode and let it log for a few days.</P> <P>After some time review the logs and compare them to the profile you would like to activate to see what protections will be detected / prevented and inactive. Depending on the profile(strict or optimized) an protection will be set to a certain level depending on performance and confidence level. Also copy the standard profile so you can always work and edit a copy!</P> <P><A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/Topics-TPG/Troubleshooting.htm?Highlight=%22detect%20only%22#Troubleshooting_IPS_for_a_Security_Gateway" target="_blank">https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/Topics-TPG/Troubleshooting.htm?Highlight=%22detect%20only%22#Troubleshooting_IPS_for_a_Security_Gateway</A></P> <P>See under:</P> <H2>Troubleshooting<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ips variable">IPS</SPAN><SPAN>&nbsp;</SPAN>for a<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgate variable">Security Gateway</SPAN></H2> Tue, 19 Mar 2024 12:55:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209111#M39626 Lesley 2024-03-19T12:55:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209114#M39628 <P>Thats an excellent reference.</P> <P>Andy</P> Tue, 19 Mar 2024 13:29:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Update-in-Detect-Mode/m-p/209114#M39628 the_rock 2024-03-19T13:29:37Z