https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12447#M1997 <HTML><HEAD></HEAD><BODY><P>I would suggest to start by studying&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103154&amp;partition=General&amp;product=Security">sk103154: How to <STRONG>block</STRONG> traffic coming from known malicious <STRONG>IP</STRONG> addresse</A>&nbsp;- you will find further references there. For R80.20, there even is a new feature: <A _jive_internal="true" href="https://community.checkpoint.com/docs/DOC-3159-r8020-ip-blacklist-in-securexl">R80.20 - IP blacklist in SecureXL</A>.</P></BODY></HTML> Fri, 02 Nov 2018 11:00:13 GMT G_W_Albrecht 2018-11-02T11:00:13Z https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12446#M1996 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>I'm looking for some help with the following, we had a scan event on one of our SFTP edges, which uses the Check Point as it's gateway. No data exfiltration or lateral movement has been detected.</P><P>Below an example of scan in question:</P><P>&nbsp;<IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/73105_pastedImage_1.png" /></P><P></P><P>We are looking for a possible solution on this, something like adding a dynamic blacklist, or "timeout". For example if an IP has 3+ IPS protect triggers within 5 minutes, it is automatically added to a blacklist for 7 days or indefinitely.</P><P>I'm not aware if the IPS module is able to perform such operation and as a possible solution we are considering to get a license for Smart Event, and get something like the below config:</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/73109_pastedImage_2.png" /></P><P></P><P>If you have any other ideas that would be much appreciated.</P><P></P><P>Many Thanks.&nbsp;</P></BODY></HTML> Fri, 02 Nov 2018 10:24:24 GMT https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12446#M1996 Reinaldo_Fernan 2018-11-02T10:24:24Z https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12447#M1997 <HTML><HEAD></HEAD><BODY><P>I would suggest to start by studying&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103154&amp;partition=General&amp;product=Security">sk103154: How to <STRONG>block</STRONG> traffic coming from known malicious <STRONG>IP</STRONG> addresse</A>&nbsp;- you will find further references there. For R80.20, there even is a new feature: <A _jive_internal="true" href="https://community.checkpoint.com/docs/DOC-3159-r8020-ip-blacklist-in-securexl">R80.20 - IP blacklist in SecureXL</A>.</P></BODY></HTML> Fri, 02 Nov 2018 11:00:13 GMT https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12447#M1997 G_W_Albrecht 2018-11-02T11:00:13Z https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12448#M1998 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Thank you for the details provided.</P><P>What we are looking is not to have a block of traffic coming from known malicious IPs, but for some sort of dynamic configurations where we can setup thresholds and once there is an incident this traffic gets dropped.</P><P></P><P>I think smart event looks quite similar of what we are looking for:</P><P></P><P><IMG src="https://community.checkpoint.com/legacyfs/online/checkpoint/73110_pastedImage_2.png" /></P></BODY></HTML> Fri, 02 Nov 2018 11:20:36 GMT https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12448#M1998 Reinaldo_Fernan 2018-11-02T11:20:36Z https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12449#M1999 <HTML><HEAD></HEAD><BODY><P>What you need is refered to there, i think of <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454">How to configure Rate Limiting rules for DoS Mitigation</A></P></BODY></HTML> Fri, 02 Nov 2018 12:47:08 GMT https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12449#M1999 G_W_Albrecht 2018-11-02T12:47:08Z https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12450#M2000 <HTML><HEAD></HEAD><BODY><P>You can prevent this with <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110873&amp;partition=Advanced&amp;product=Security">sk110873 - How to configure Security Gateway to detect and prevent scan</A></P></BODY></HTML> Fri, 02 Nov 2018 13:22:29 GMT https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12450#M2000 Anthony_Nguyen 2018-11-02T13:22:29Z https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12451#M2001 <HTML><HEAD></HEAD><BODY><P>Thank you for your reply.</P><P>We don't want to change the IPS policy to detect as this will just work as IDS and not IPS. The idea is to setup a threshold, so if we see a 3 scan attempts from a source it would automatically block it.</P></BODY></HTML> Fri, 02 Nov 2018 13:58:11 GMT https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12451#M2001 Reinaldo_Fernan 2018-11-02T13:58:11Z https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12452#M2002 <HTML><HEAD></HEAD><BODY><P>I would recommend taking a look at&nbsp;sk74520 -&nbsp;<SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;"><SPAN>&nbsp;</SPAN>SecureXL penalty box. Also, if you are interested in folding in some dynamic blocking in addition to this, take a look at <A href="https://opendbl.net">https://opendbl.net</A>&nbsp;- Lists are updated every 12 hours and provides another layer of protection.</SPAN></P></BODY></HTML> Fri, 02 Nov 2018 14:07:32 GMT https://community.checkpoint.com/t5/General-Topics/Scan-events/m-p/12452#M2002 Alex_Weldon 2018-11-02T14:07:32Z