IPS Ease of Use in R80.20 TechTalk

PhoneBoy — Wed, 15 Aug 2018 03:01:51 GMT

As a follow-up to our Check Point R80.20 Demo TechTalk and Q&A session, we demonstrated the numerous usability enhancements with IPS Management and Gateway that are coming with the R80.20 release. Experts from R&D answered your IPS-related questions as well!

Tomer Sole‌

Smadi Paradise‌

Ofir Israel‌

Raz Shlomo‌

Avishai Duer

As this was primarily a live demo, there are no slides.

Video will be available to CheckMates members who are signed in: IPS Ease of Use in R80.20 Video

Links mentioned during the session are posted in the comments.

Video Link : 6625

Re: IPS Ease of Use in R80.20 TechTalk

Tomer_Sole — Wed, 15 Aug 2018 05:24:20 GMT

Hi,

In this talk we mainly discussed the changes with IPS in R80.20.

Some links:

Link description	Link
The R80.20 EA Program	Check Point R80.20 Production and Public EA
Which policy to install when making IPS changes depending on the version of your gateway	What is the roadmap for Threat Prevention Policy management?
IPS Best Practices for R80.10 (please note that for R80.20 the best practices are changed, there are 3 major changes, as we explained in the video)	R80.10 IPS Best Practices Guide
IPS Analyzer measures the top consumed IPS protections on your security gateways	IPS Analyzer Tool - are you running it?
Add custom IPS Protections based on Snort	Did you know? Add Snort Protections with R80.10 API
Automate IPS with tags	Automating IPS
Difference between ThreatCloud protections (9100+) and Core Protections (39)	Where did all my IPS Protections go?

Re: IPS Ease of Use in R80.20 TechTalk

PhoneBoy — Thu, 30 Aug 2018 02:45:08 GMT

I realize I'm a bit late posting the Q&A for this, but it's still good to have:

When you do install policy, does it update only the IPS or all the fw policy?

On R80+ gateways, IPS is part of the Threat Prevention policy and can be pushed separately from the Firewall/Access Control policy. In R77.30 and earlier, to update IPS, you must install the Firewall policy.

Is there an option for customize the user credentials in order to make the IPS update ? I cannot find it in R80.10 ... In R77.30 it was easy.

In R80.x this is no longer required as we use a certificate to authenticate access to UserCenter to download the signatures.

And how about that offline updates?

To receive the offline IPS signature update files, you must sign a special EULA. Please check with your local office.

What is the purpose of the indicators tab in threat tools?

You can block specific URLs or file hashes. This requires Anti-Virus and/or Anti-Bot to be activated and is not an IPS feature.

Any way to turn off just IPS to troubleshoot a problem? Too often troubleshooting takes too long and want a quick way to test without pushing policy.

The cli command ips off will disable IPS. However, this is a last resort and is not recommended.

I remember the CSV being available in R77.20 when was STIX format added ? Does R80.20 also support TAXII format?

STIX has been available since R77.20, TAXI is not currently supported. See the upcoming feature in sk132193, TAXII might be developed on top of it.

Can we put the newly downloaded protection in inactive state just to avoid high CPU sometimes when the box is already under load?

Yes. In the profile under IPS > Updates you can set 'new downloaded protection' to inactive.

We are running IPS on a L2 firewall, do you plan to implement an option to assign an interface to be marked as "outside" or "inside" interface? The current IPS cannot detect if the interface is facing the internet or the inside network.

You should be able to mark the relevant physical interface as "External" in a bridge.

When we talk about policy installation improvements, should the gateway and management both need to be in R80.10?

Some policy installation improvements can be seen with R80.10 Management. The ones discussed during the TechTalk require both gateway and management to be on R80.20.

Is it possible in R80.20 filter by the client or server protection? For example I want to deactivate all server protection in one click.

The IPS profiles are defined with tags in R80.x rather than Client or Server. Refer to Check Point R80.10 IPS Best Practices

How much of a benefit could be expected from adding an acceleration card for Threat Prevention? Metrics?

The acceleration cards are not available yet. Once they are, we will provide appropriate metrics.

Where are you in terms on the API 1.2 integration and IPS - could you give us a brief overview there please?

We do have APIs for managing Indicators of Compromise via the API, but these are not strictly IPS features.

Are there realtime blacklists/blocking of known bad IP addresses?

This is what ThreatCloud provides. If you want to subscribe to your own, see the upcoming feature in sk132193.

About policy installation, many versions ago was stated that in R80.10 only the deltas would be installed for access control policy, however, still entire policy is installed. For R80.20 this remains the same?? if yes, for which future version would be possible install only deltas for access control?

Pushing only changed rules is planned for later releases.

If the gateways update themselves (which is great news!!!) how would you view if an update failed?

You'll be able to see it in the Update Status view (same as AntiVirus & AntiBot blades)

How does one correlate the version of the API with the version of the manager???

You can see what version of the API your management server supports by going to https://management-ip/api_docs.

R80 is API v1.0, R80.10 is API v1.1, and R80.20.M1 is API v1.2.

When the gateways update themselves, do they need access to updates.checkpoint.com?

Refer to How to verify that Security Gateway and/or Security Management Server can access Check Point servers? which will be updated with the correct information once R80.20 is available.

Does the bypass IPS feature works with respect to individual core or on all the cores?

All cores.

In the Threat Prevention Policy there's "Protected Scope" and also "Source/Destination" fields. What is the difference between these two types? And when would you use one or the other?

In most cases, you would use "Protected Scope." For exceptions, explicit source/destination may be useful.

Would there be any changes in the protections in R80.20, compared to R80.10 ? We have seen some protections were retired with R77.30.

No plans to deprecate IPS protections in R80.20.

Are Core Protections not the same as Inspection Settings?

Core Protections are IPS protections, Inspection Settings are actually Firewall settings.

IPS bypass feature monitors only worker cores or also SND cores?

All cores, worker and SND.

Are there any disadvantages of running multiple IPS profiles one Check Point cluster (such as decreased performance)?

No, multiple profiles / Threat Prevention layers do not increase performance impact.

What is the impact of turning on SSL inspection along with IPS, I assume some IPS protections might work better if traffic is decrypted ?

Yes, some protections will work better with SSL Inspection enabled.

Is it possible to monitor IPS performance graphically on SmartConsole e.g. to match particular IPS processing time against CPU/loading, believe this is cli only - would be a good feature to see in console for the future or possibly alert to any impact etc.

Data can be collected about this, but it must currently be analyzed by TAC or R&D. Instructions are available here: How to measure CPU time consumed by IPS protections

topic Re: IPS Ease of Use in R80.20 TechTalk in Firewall and Security Management

IPS Ease of Use in R80.20 TechTalk

Re: IPS Ease of Use in R80.20 TechTalk

Re: IPS Ease of Use in R80.20 TechTalk