topic Re: IPS Core Protection in Firewall and Security Management

IPS Core Protection

Ihenock1011 — Tue, 23 Jul 2024 08:10:40 GMT

Hi All,

I have a question about the Threat Prevention custom policy, specifically the IPS protection section. For the core Protection, there are two options. For example, if you see Host Port Scan for each profile, the action is either "Accept" or "Inactive." However, for other core protections, such as HTTP URL pattern, there is an additional "Drop" option. What do the "Accept," "Inactive," and "Block" actions do, and why is the "Block" action added to some of the core protections?

Thanks,

Re: IPS Core Protection

the_rock — Tue, 23 Jul 2024 13:04:46 GMT

Hey bro,

Those are default IPS protections, regardless if you have IPS blade enabled or not. I would leave those as is, no need to change them, unless you are 100% positive exception needs to be added.

Andy

Re: IPS Core Protection

PhoneBoy — Tue, 23 Jul 2024 13:27:28 GMT

Because for some protections (like anything HTTP related) there is an active connection that gets terminated if they trigger and the “Block” action is specified.
For protections that don’t involve an active TCP/UDP connection, you won’t see a block action.

Inactive means the system does not try to look for it.
Accept means look for it but allow it (ie like a regular IPS protection in Detect mode).

Re: IPS Core Protection

Ihenock1011 — Tue, 23 Jul 2024 14:13:23 GMT

"Accept means look for it but allow it (ie like a regular IPS protection in Detect mode)"

Doesn't the IPS prevent in all conditions?

Re: IPS Core Protection

the_rock — Tue, 23 Jul 2024 14:15:10 GMT

Definitely NOT.

Re: IPS Core Protection

the_rock — Tue, 23 Jul 2024 16:17:19 GMT

Btw, you can even examine optimized profile out of the box, which is what CP recommends anyway and bunch of protections are set to inactive/detect.

Andy

Re: IPS Core Protection

PhoneBoy — Tue, 23 Jul 2024 18:28:16 GMT

Depends on your Threat Prevention profile/configuration.
The Optimized profile (which is the default one) has several protections either Disabled or in Detect mode.

Re: IPS Core Protection

Ihenock1011 — Wed, 24 Jul 2024 04:45:13 GMT

Sorry if I am making you bored. What exactly do I have to do, for example, to block HTTP URL patterns and host port scanning?

Re: IPS Core Protection

the_rock — Wed, 24 Jul 2024 12:00:39 GMT

Check out the example, you just edit the given protection and change the action for the IPS profile you are using.

Andy

Re: IPS Core Protection

PhoneBoy — Wed, 24 Jul 2024 14:54:52 GMT

For anything HTTP related, HTTPS Inspection is required to see the full URLs.
This is in addition to enabling the relevant protections and installing the Access Policy.

Portscans are a little more complicated: https://support.checkpoint.com/results/sk/sk110873