Log for IPS but with a Drop rule for exact source IP

Eikkichi — Thu, 04 Sep 2025 12:14:44 GMT

Hi,

Im trying to get some info regarding the process of incoming traffic , What blades it follows .

According to Chat if its correct :

For an incoming packet on a Check Point Security Gateway, the blades are typically processed in the following order: first, anti-spoofing and then the Security Policy (which includes Application Control, URL filtering, and Content Inspection). If the connection is accepted, Threat Prevention (including Antivirus, IPS, and other features) is applied. TLS/SSL Inspection may occur before or during the Security Policy inspection depending on configuration.
Here's a breakdown of the typical order:
1. Anti-Spoofing:
The first check is to prevent spoofed IP addresses from entering the network.
2. Security Policy:
This is the main set of rules that determines whether traffic is allowed or denied.
TLS/SSL Inspection (Conditional): If TLS/SSL Inspection is enabled on the gateway, it's applied at this stage, before or during the main security policy inspection.
Application Control, URL Filtering, Content Inspection: These blades are part of the Security Policy and inspect the traffic for allowed applications, web sites, and specific content.
3. Threat Prevention:
If the traffic is accepted by the Security Policy, it then moves to the Threat Prevention stage.
Antivirus (AV), IPS, etc.: This includes features like Intrusion Prevention System (IPS) and other threat detection and prevention mechanisms.
Key Considerations
Configuration Dependent:
The exact order can vary based on the specific features enabled and how they are configured in your Security Policy and blade settings.
Firewall Policy:
The Security Policy is where you define the rules for accepting or blocking traffic based on various criteria.
f-monitor:
You can use the fw monitor tool to see the actual inspection points for incoming traffic (e.g., i for pre-inbound, I for post-inbound).

There is a security Policy with a source IP : dst : Any : all ports drop.

But we see that IP in the IPS Log with a prevent .

Why would we see this IPS log and not a drop.

Re: Log for IPS but with a Drop rule for exact source IP

PhoneBoy — Mon, 08 Sep 2025 20:52:09 GMT

To determine the exact reason, please provide a screenshot of the full log card with sensitive details redacted.

Re: Log for IPS but with a Drop rule for exact source IP

the_rock — Mon, 08 Sep 2025 23:02:26 GMT

Do you see drop on network layer?

Andy

Re: Log for IPS but with a Drop rule for exact source IP

Chris_Atkinson — Mon, 08 Sep 2025 23:08:26 GMT

Is the traffic matching an implied rule?

Re: Log for IPS but with a Drop rule for exact source IP

the_rock — Mon, 08 Sep 2025 23:12:03 GMT

Good point Chris. Though, as Phoneboy said, we need to see full log, otherwise, its purely guessing.

Andy

topic Re: Log for IPS but with a Drop rule for exact source IP in Firewall and Security Management

Log for IPS but with a Drop rule for exact source IP

Re: Log for IPS but with a Drop rule for exact source IP

Re: Log for IPS but with a Drop rule for exact source IP

Re: Log for IPS but with a Drop rule for exact source IP

Re: Log for IPS but with a Drop rule for exact source IP