https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251078#M49124 <P>Does the IPS recommendation also apply to other blades, such as AB and AV?</P> <P>&nbsp;</P> <P>Or AV/AB can be enabled on the VS's one needs, without the need to enable it also on VS0?</P> Wed, 11 Jun 2025 19:17:52 GMT Matlu 2025-06-11T19:17:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251062#M49117 <P>Hello, Mates.</P> <P>In VSX environments, the recommendation regarding enabling Threat Prevention Blades on all the VS's you have, is always going to depend on how ‘robust’ your main VSX box is?</P> <P>Does enabling Threat Prevention “force” you to also enable HTTPS Inspection on your VS's or is this always optional?</P> <P>Thanks for your recommendations.</P> Wed, 11 Jun 2025 15:50:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251062#M49117 Matlu 2025-06-11T15:50:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251064#M49119 <P>Hey bro,</P> <P>I always tell people to follow this mentality "When in doubt, always leave default settings". If then, you notice any issues, you can tailor it as needed.</P> <P>Andy</P> Wed, 11 Jun 2025 16:11:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251064#M49119 the_rock 2025-06-11T16:11:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251072#M49121 <P>You only enable IPS on VS0 for updates not to protect VS0. VS0 is for mgmt purpose&nbsp;</P> <P><A class="checkpoint_toggle" target="_blank">Should I enable IPS Software Blade on the VSX Gateway?</A></P> <DIV id="IPS_Q1"> <BLOCKQUOTE> <P>You must enable and configure the IPS Software Blade in these objects:</P> <OL> <LI> <P>VSX Gateway or VSX Cluster (because VS0 handles contract validation for all Virtual Systems).</P> </LI> <LI> <P>Applicable Virtual Systems.</P> </LI> </OL> <P>&nbsp;</P> <P>To enable Anti-Bot, Anti-Virus, or IPS on Virtual Systems</P> <P>Important:</P> <P>Make sure the routing, DNS, and proxy settings for the VSX GatewayClosed or VSX ClusterClosed Members (VS0) are configured correctly.</P> <P>You must enable and configure the Software Blades in these objects:</P> <P>VSX Gateway or VSX Cluster (because VS0 handles contract validation for all Virtual Systems).</P> <P>Applicable Virtual Systems.</P> <P>Make sure the VSX Gateway or VSX Cluster and the applicable Virtual Systems can connect to the Internet.</P> <P>Virtual Systems get updates through the VSX Gateway or VSX Cluster (VS0).</P> <P>If the VSX Gateway or VSX Cluster fails to connect, each Virtual SystemClosed uses its proxy settings to get the updates from the Internet.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regarding HTTPS inspection. Now you can run IPS without but you don't get the full inspection. The firewall cannot inspect traffic that is encrypted. Most traffic now is encrypted so it is quite important.&nbsp;</P> </BLOCKQUOTE> <P>&nbsp;</P> </DIV> Wed, 11 Jun 2025 18:17:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251072#M49121 Lesley 2025-06-11T18:17:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251073#M49122 <P>To enable IPS/AB/AV blades, there are 2 ways?</P> <P>Because I know people who enable these blades ‘Instance by Instance’ (VS x VS), but according to your explanation, I understand that I can enable the blades from the box as such (VS0) and this should ‘Replicate’ on all my VS's?</P> <P>Is that the logic?</P> Wed, 11 Jun 2025 18:28:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251073#M49122 Matlu 2025-06-11T18:28:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251074#M49123 <P>If you want to use IPS on a VS you always enable it on VS0 and any other VS that you want to run IPS.</P> <P>For example</P> <P>VS0: IPS</P> <P>VS1:No ips because internal fw</P> <P>VS2: IPS enabled</P> <P>You can attach a IPS profile on each VS, also VS0</P> Wed, 11 Jun 2025 18:34:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251074#M49123 Lesley 2025-06-11T18:34:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251078#M49124 <P>Does the IPS recommendation also apply to other blades, such as AB and AV?</P> <P>&nbsp;</P> <P>Or AV/AB can be enabled on the VS's one needs, without the need to enable it also on VS0?</P> Wed, 11 Jun 2025 19:17:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251078#M49124 Matlu 2025-06-11T19:17:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251087#M49126 <P>Yes, AB/AV should only be enabled on VSes where it is required.<BR />Traffic is checked via ThreatCloud, so the VS needs Internet access.</P> Wed, 11 Jun 2025 19:56:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251087#M49126 PhoneBoy 2025-06-11T19:56:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251096#M49131 <P>In general terms, does Threat Prevention make sense to be used in FW or VS's that have Internet access?</P> <P>Because these blades, enabling them in FW that do not have Internet access, would not make sense, right?</P> Wed, 11 Jun 2025 22:49:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251096#M49131 Matlu 2025-06-11T22:49:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251097#M49132 <P>Personally bro, at least in my logical opinion, it makes total sense to use those blades on VS with Internet access and NOT use them on ones that dont have it. Its literally same method for regular quantum fws and truth be told, pretty much applies to any fw vendor out there.</P> <P>Andy</P> Wed, 11 Jun 2025 22:53:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251097#M49132 the_rock 2025-06-11T22:53:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251105#M49139 <P>HTTPS is not mandatory for TP but what the blades can see is limited to clear traffic without it same as any gateway.</P> <P>IPS and TEX are the two blades I believe must be enabled also on VSO if to be used on other VS.</P> Thu, 12 Jun 2025 00:00:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251105#M49139 Chris_Atkinson 2025-06-12T00:00:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251123#M49147 <P>Yes also needed on VS0</P> <H2>Anti-Bot and Anti-Virus</H2> <DIV class="checkpoint_toggleAll">Click Here to Show This Section</DIV> <UL> <LI><A class="checkpoint_toggle" target="_blank">When I enable the Anti-Bot / Anti-Virus Software Blade in the Virtual System object, should I also enable this blade in the VSX Gateway object?</A><BR /> <DIV id="AB_AV_Q1"> <BLOCKQUOTE> <P>Yes.</P> <P>Because contracts validation and initialization of default updates parameters are performed from the VSX Gateway itself (context of VS0).</P> </BLOCKQUOTE> </DIV> </LI> </UL> Thu, 12 Jun 2025 07:38:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TP-Best-Practices/m-p/251123#M49147 Lesley 2025-06-12T07:38:39Z