https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25362#M58869 <HTML><HEAD></HEAD><BODY><P>If you configure User Defined Alerts, you can timeout connections that meet the criteria for the Host Port Scan IPS signature:</P><P></P><P>SK110873 - How to configure Security Gateway to detect and prevent port scan</P></BODY></HTML> Wed, 23 May 2018 17:14:21 GMT Kyle_Danielson 2018-05-23T17:14:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25358#M58865 <HTML><HEAD></HEAD><BODY><P>hi,</P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 12px;">We have only Detect option available for “Host Port Scan” category so we can’t prevent this from our IPS rules. We cannot block the source that ip is being used as nat ip (public ip from another branch) for many users .</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 12px;">If we don't have option to prevent can we have a TCP session limit for the source IP from the user pool ? If it can be done, what the procedure?</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 12px;">Regards,</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 12px;">Sagar Manandhar</SPAN></P><P>.</P></BODY></HTML> Wed, 23 May 2018 13:40:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25358#M58865 Sagar_Manandhar 2018-05-23T13:40:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25359#M58866 <HTML><HEAD></HEAD><BODY><P>Sagar,</P><P></P><P>If the source of scans is NATed by the Check Point gateway itself, you should still be able to to identify it by the actual IP and treat its traffic in IPS whichever way you want.</P><P></P><P>If it is being NATed by other device before hitting the Check Point, the best course of action will be to exempt CP GW from it's scanner's configuration.</P><P></P><P>Incidentally, do you have a stealth rule configured in your policy?</P><P>What, if any effect does it have on this traffic.</P><P></P><P>Cheers,</P><P></P><P>Vladimir</P></BODY></HTML> Wed, 23 May 2018 14:27:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25359#M58866 Vladimir 2018-05-23T14:27:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25360#M58867 <HTML><HEAD></HEAD><BODY><P>No, it not the checkpoint IP. We have been using different public ip in different branches. it comming from there.</P></BODY></HTML> Wed, 23 May 2018 15:42:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25360#M58867 Sagar_Manandhar 2018-05-23T15:42:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25361#M58868 <HTML><HEAD></HEAD><BODY><P>Then either configure the scanner exemptions or their scopes.</P><P>Alternatively, at the branch in question you can play with ACLs to only allow necessary traffic to predetermined scopes from the original source IP, but it may prove labor intensive.</P></BODY></HTML> Wed, 23 May 2018 17:04:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25361#M58868 Vladimir 2018-05-23T17:04:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25362#M58869 <HTML><HEAD></HEAD><BODY><P>If you configure User Defined Alerts, you can timeout connections that meet the criteria for the Host Port Scan IPS signature:</P><P></P><P>SK110873 - How to configure Security Gateway to detect and prevent port scan</P></BODY></HTML> Wed, 23 May 2018 17:14:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-prevent-option-in-IPS-signature/m-p/25362#M58869 Kyle_Danielson 2018-05-23T17:14:21Z