topic Re: Autonomous Threat Prevention and Core Protections / Inspection Settings in Firewall and Security Management

Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Thu, 20 Mar 2025 11:02:17 GMT

Hi all,

we've switched to the autonomous threat prevention (R81.20) and I was wondering if the "old" IPS settings still apply in any way?

Profiles created / copied from the default Profiles (No-Prevention, Basic, Optimized, Recommended_Protection and Strict) under "Custom Policy" should be completely out of business - right?

Inspection Settings (Shared Policies) are still active and "Recommend Inspection" has to be used as best-practise

But what is with the Core Protections?

The only show up when I switch to the "Custom Policy" section. Since they have been activated in the older days without having IPS enabled I wonder if they are still in use after the switch to autonomous threat prevention?

Kind regards

Oliver

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Tal_Paz-Fridman — Thu, 20 Mar 2025 11:30:08 GMT

Core Protections - although shown under IPS are part of Access Control Policy and not Threat Prevention Policy.

This means they still apply:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ThreatPrevention_AdminGuide/Content/Topics-TPG/IPS_Protections_for_Autonomous_Threat_Prevention.htm?TocPath=Autonomous%20Threat%20Prevention%7C_____6

See section for Protection Types:

Core protections - These protections are included in the product and are assigned per gateway. They are part of the Access Control policy

In SmartConsole select Profiles (under Custom Policy Tools) > in the bottom pane press on link to Core Protections

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Tue, 25 Mar 2025 07:26:54 GMT

Ok - understood. But just to make sure: This is only for the Core Activations specified in the profile. The other profile settings (marked pink) have no impact on the autonomous threat profil?

So it would be possible to create a profile under custom profiles with everything deactivated and only specify the needed settings for the Core Activations?

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Tue, 25 Mar 2025 07:27:32 GMT

Bump 🙂

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

PhoneBoy — Tue, 25 Mar 2025 14:27:31 GMT

It should not be necessary to define a Threat Prevention profile to manage the settings for the Core Protections as their settings are managed directly.
That's suggested by the tooltip in the screenshot @Tal_Paz-Fridman provided.

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Tue, 25 Mar 2025 14:55:22 GMT

OK - Got that! I filtered according to the tool tip and was able to see the Core Protections. But still one question remains:

When I view the core protections from one of the old profiles I can see actions according to the profile settings like shown here:

Also when I select the Gateways section I can see a profile attached to my fw-cluster:

So if there is no need to create a profile for the Core Protections -> Can I just delete my custom made profiles and than do what? Will than the "default action" of the Core Protection kick in? This is kind of confusing me 😞

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

PhoneBoy — Tue, 25 Mar 2025 21:37:01 GMT

I will try to get a definitive answer to this question about what happens with Core Protections with ATP.

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Wed, 26 Mar 2025 07:50:04 GMT

Thank you in advance. Looking forward to the final wisdom 🙂

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Timothy_Hall — Thu, 27 Mar 2025 02:58:19 GMT

My guess that since Core Protections/Activations and Inspection Settings changes are made effective by installing the Access Control policy (not the Threat Prevention policy which is fully controlled by Autonomous mode), these still operate independently even though Autonomous Threat Prevention (ATP) is enabled. This is further bolstered by the fact the Core Protections/Activations and Inspection Settings have their own completely independent profile settings, completely separate from the IPS ThreatCloud protections which are controlled by profiles specified in the Threat Prevention policy itself (which ATP takes over).

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Mon, 31 Mar 2025 06:49:53 GMT

Hello @Timothy_Hall ,

my "guess" goes in the same direction. But I want to get away from guessing around ATP. Maybe @PhoneBoy has an final answer on this issue?

Kind regards
Oliver

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

G_W_Albrecht — Mon, 31 Mar 2025 09:22:24 GMT

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

G_W_Albrecht — Mon, 31 Mar 2025 09:24:22 GMT

What do you expect to gain by deleting the custom made profiles ? Could not be disk space, i think 😉 So why not just leave all as it is ?

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Mon, 31 Mar 2025 10:12:35 GMT

No - it is not about gaining disk space 🙂 It's more about getting to know what the system does. When using ATP how are the Core Protections controlled? Via one of the default (or custom profiles) profiles under the custom policy section? If not -> what controls the settings of the Core Protections when using ATP? Seems like nobody knows the answer 🙂

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

G_W_Albrecht — Mon, 31 Mar 2025 13:44:40 GMT

I think that this is rather confusing, too 😉 But if i look:

i find that Core Protections are configured according to the settings defined in IPS profile:

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

Oliver_Matt — Mon, 31 Mar 2025 14:19:46 GMT

Hi @G_W_Albrecht ,

looks the same on my side. When I use Autonomous Theat Prevent I specify the level of protection in the autonomous section. Please note that there are no profiles in the Autonomous policy tools (marked pink).

I can choose between these levels ...

So why in the world I need a IPS profile (custom of default) under the CUSTOM POLICY section when I use the Autonomous Policy?

Only to set the security level of the Core Protections? This is totally confusing. And we didn't start talking about the shared Inspections Settings yet which adds an additional level of madness 🙂

Re: Autonomous Threat Prevention and Core Protections / Inspection Settings

G_W_Albrecht — Mon, 31 Mar 2025 14:58:27 GMT

Yes, we both find that confusing. But it comes from history, a time where core protections were part of IPS, and things have evolved quickly. I hope that in the near future this will be reflected in Dashboard settings, but currently, we have to cope with these incongruencies. As we all live on the complexity of security, i am not so hard on the developers that strife to make TP better (incorporating technologies that have been bought by CP) without being able to make Dashboard settings as easy as possible at the same time.