topic Re: FW blade drops a suspicious packet like IPS blade? in Firewall and Security Management

FW blade drops a suspicious packet like IPS blade?

saitoh — Tue, 26 Aug 2025 10:26:54 GMT

Hi all,

I heard FW blade played the role which IPS blade used to do, like dropping non-RFC compliant packet or something.

My experience of CP is so short that I am wondering where I can confirm what else kind/type of packet is subject to rejection.

AI assistant of CheckPoint says I can find it on Manage&Settings > Blade > General > InspectionSettings, but

also states InspectionSettings includes 'most' of those type of packets, not all.

He or she added this behaviour of FW blade had been implemented since R80.20.

However R80.10 smartconsole has InspectionSettings on the same page, which I was not expected.

I have a quite confusing idea now ;(

It would be lovely if you share your knowledge on this.

Saitoh

Re: FW blade drops a suspicious packet like IPS blade?

Chris_Atkinson — Tue, 26 Aug 2025 10:53:54 GMT

Inspection Settings & Core Protections fall into this category, not to worry IPS still very much exists.

Both those versions are quite old how do they compare/relate to your actual installation?

Re: FW blade drops a suspicious packet like IPS blade?

the_rock — Tue, 26 Aug 2025 11:50:43 GMT

Hey @saitoh

Greetings to a colleague in Japan! First, wanted to say, I always found Japanese culture to be the BEST and even that is an understatement.

K, had to say that, because it is true. Now, as far as the issue you describe. I had some questions...first off, what is the actual issue? Do you see drops in smart console/zdebug?

Also, keep in mind, when it comes to ips and inspection settings, those are totally 2 different things. Inspection settings are more related to deep packet/voip, things like that, while IPS is definitely more for protecting aginst known malicious activities.

I suggest updating to at least R81.20 if you can.

Andy

Re: FW blade drops a suspicious packet like IPS blade?

PhoneBoy — Tue, 26 Aug 2025 19:43:04 GMT

Several low-level packet checks are handled in the Firewall blade.
These are represented in the Inspection Settings and Core Protections panes and date back to the SmartDefense days (2000s pre-R70 and IPS Blade).

Re: FW blade drops a suspicious packet like IPS blade?

saitoh — Fri, 29 Aug 2025 08:09:37 GMT

Dear @PhoneBoy , @the_rock , and @PhoneBoy ,

Thanks for your comments as always. Wonderful you guys are always here to help people.

My apologies for lack of background info. Here's why I am interested in such a good old OS version.

Problems:

No urgent issue occurs. This question was written for begging info, not a solution.

Backgrounds:

Ahead of the replacement of customer's appliances which all run R80.10, with better ones of R82,

I have to investigate any system change made to the system, which might cause connectivity issues.

Their environment has old/original protocol packets, and many of them is likely to be non RFC-compliant.

(I know it is almost impossible to fully presume them all, but I would like to get a picture to some extent.)

What I would like to know:

1. Without IPS blade, can FW blade drop a suspicious packets like listed in Inspection Settings?

2. Apart from behaviour configured in Inspection Settings, is there any function which can drop a packet regardless of firewall policy?

I know in global properties there are the settings associated with a drop of packets like dynamic routing protocol, direct ping, and Ack without Syn.

I am not quite sure where else to check when policy-allowed packet is dropped at the appliance.

It has been very hectic in my office, so my colleagues seemingly do not have time for answering my question.. ;(

My effort alone cannot make them clear to me.

If you give me a pointer, I cannot thank you enough.

Saitoh

Re: FW blade drops a suspicious packet like IPS blade?

_Val_ — Fri, 29 Aug 2025 09:36:54 GMT

FW can drop packets for one of those reasons:

Anti-spoofing violation
Packet is out of state
Policy drop rule
Threat prevention policy decision

Re: FW blade drops a suspicious packet like IPS blade?

the_rock — Fri, 29 Aug 2025 11:51:18 GMT

Hey Saitoh,

I can totally see all the points Val made, regardless of what blades are enabled.

Andy

Re: FW blade drops a suspicious packet like IPS blade?

saitoh — Thu, 18 Sep 2025 06:19:18 GMT

Hi @_Val_ and @the_rock ,

I am sorry for the late reply, had been in a short holiday in Egypt.

And much appreciated to you guys for a concise and clear answer!

Saitoh

Re: FW blade drops a suspicious packet like IPS blade?

_Val_ — Thu, 18 Sep 2025 10:01:03 GMT

Glad to help

Re: FW blade drops a suspicious packet like IPS blade?

the_rock — Thu, 18 Sep 2025 10:02:36 GMT

Hey @saitoh

Yea man, hope you had nice Time! Egypt is very good destination, I know everyone goes to see pyramids, but I love Luxor, such a cool place.

Best,

Andy