https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170423#M28366 <P>It's a slightly different use case than the log you've provided and not relevant here based on version (sorry for the confusion).</P> <P>In your case the reason for this specific case is displayed as shown in the log card (highlighted in yellow).</P> <P>Others may have the same cause or again be based on the profile configuration parameters.&nbsp;</P> <P>See also:&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92224&amp;partition=Advanced&amp;product=Anti-Bot," target="_blank" rel="noopener">sk92224: Optimizing the categorization of DNS traffic by changing the Resource<SPAN>&nbsp;</SPAN><STRONG>Classification</STRONG><SPAN>&nbsp;</SPAN>Mode, for Anti-Virus and Anti-Bot</A></P> Mon, 06 Feb 2023 12:19:08 GMT Chris_Atkinson 2023-02-06T12:19:08Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170196#M28321 <P>Hi CP,</P><P>&nbsp;</P><P>I'm concerning with the logs between Attack Allowed by Policy and Prevented Attacked. Could you please explain me how are different ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Log_Policy.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19430iEAC761F392727EE6/image-size/large?v=v2&amp;px=999" role="button" title="Log_Policy.PNG" alt="Log_Policy.PNG" /></span></P> Fri, 03 Feb 2023 01:09:38 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170196#M28321 Samphas1 2023-02-03T01:09:38Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170200#M28324 <P>The above will typically correspond with events who's action is Detect vs Prevent.</P> <P>Often this is a configuration/policy decision on the part of the administrator for blades or protections.</P> Fri, 03 Feb 2023 02:23:28 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170200#M28324 Chris_Atkinson 2023-02-03T02:23:28Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170206#M28329 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;If the action is Detect it mean we allow the connection came into the environment ?&nbsp; And there is any impact or high risk with this action ?</P> Fri, 03 Feb 2023 03:03:58 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170206#M28329 Samphas1 2023-02-03T03:03:58Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170207#M28330 <P>I agree with Chris. If you look at the top and what it says there, it indicates "attacks allowed by policy", so definitely referring to detect vs prevent.</P> Fri, 03 Feb 2023 03:17:27 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170207#M28330 the_rock 2023-02-03T03:17:27Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170209#M28331 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;,</P><P>If the "Attacks allowed by policy " what will impact to the environment ?</P> Fri, 03 Feb 2023 03:35:19 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170209#M28331 Samphas1 2023-02-03T03:35:19Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170215#M28334 <P>The Detect action means: it was allowed into the environment due to the specific Threat Prevention profile configuration.<BR />The precise risk depends on what it was that was detected.<BR />A Prevent or Block means it was prevented.</P> Fri, 03 Feb 2023 06:39:11 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170215#M28334 PhoneBoy 2023-02-03T06:39:11Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170217#M28335 <P>As&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;indicated it depends on the specific configuration and the event that was detected.</P> <P>For example the "Strict" TP profile versus "Optimized" each have different criteria based on confidence/impact/severity&nbsp; and enabled blades.</P> <P>The objective here is to achieve a balance between security/performance/false positives relative to your environment and what assets you are protecting.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TP Criteria.PNG" style="width: 604px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19432i083CD0E0A4AE1399/image-size/large?v=v2&amp;px=999" role="button" title="TP Criteria.PNG" alt="TP Criteria.PNG" /></span></P> Fri, 03 Feb 2023 06:49:22 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170217#M28335 Chris_Atkinson 2023-02-03T06:49:22Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170222#M28338 <P>If the change all policy to prevent type what it will impact or not ? And what is the best practice and recommendation ?</P> Fri, 03 Feb 2023 07:47:14 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170222#M28338 Samphas1 2023-02-03T07:47:14Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170269#M28343 <P>Generalization: Prevent catch-rate will increase at the expense of performance (particularly if you adjust the active protection parameters or enable additional blades).</P> <P>Optimized profile is typically a good place to start then you can clone and tune it further per your own requirements.</P> Fri, 03 Feb 2023 14:58:25 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170269#M28343 Chris_Atkinson 2023-02-03T14:58:25Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170274#M28344 <P>If the protection is on Detect already, Prevent will not cost more performance. I tend to use inactive for low confidence instead of detect...</P> Fri, 03 Feb 2023 14:20:40 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170274#M28344 G_W_Albrecht 2023-02-03T14:20:40Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170296#M28351 <P>From a "work" standpoint, Prevent and Detect require the same amount of work.&nbsp;<BR />Detect ultimately still allows the traffic, which means it still continues to process the traffic.<BR />That means Detect could actually end up requiring more work in the end...<BR /><BR /></P> Fri, 03 Feb 2023 18:57:58 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170296#M28351 PhoneBoy 2023-02-03T18:57:58Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170307#M28352 <P>Yep Detect causes more overhead than Prevent, and in some cases much more.&nbsp; Here is an excerpt from my new <A href="http://www.maxpowerfirewalls.com" target="_self">R81.20 Gateway Performance Optimization 2-day course</A> discussing this topic:</P> <DIV id="tinyMceEditor_76c184909d9c06Timothy_Hall_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="preventdetect.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19448iCBE92F80C98724E8/image-size/large?v=v2&amp;px=999" role="button" title="preventdetect.png" alt="preventdetect.png" /></span></P> <P>&nbsp;</P> Sat, 04 Feb 2023 15:58:07 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170307#M28352 Timothy_Hall 2023-02-04T15:58:07Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170308#M28353 <P>You definitely got all the logical answers, so I would stick with optimized profile as Chris said, cant go wrong.</P> Fri, 03 Feb 2023 20:23:34 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170308#M28353 the_rock 2023-02-03T20:23:34Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170391#M28354 <P>Could you please explain me more how are different between the Optimized and Strict Action ?</P> Mon, 06 Feb 2023 02:26:52 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170391#M28354 Samphas1 2023-02-06T02:26:52Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170394#M28355 <P>More protections will be active in the "Strict" profile.</P> <DIV id="tinyMceEditor_7774bc83c8ab29Chris_Atkinson_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Optimized.png" style="width: 761px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19452i7CD0B8EC02AD4193/image-size/large?v=v2&amp;px=999" role="button" title="Optimized.png" alt="Optimized.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Strict.png" style="width: 761px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19453i5439878382E058AB/image-size/large?v=v2&amp;px=999" role="button" title="Strict.png" alt="Strict.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 06 Feb 2023 02:44:59 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170394#M28355 Chris_Atkinson 2023-02-06T02:44:59Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170395#M28356 <P>The screenshot below action is Detect mean that Anti-Virus software blade not protection and allow the connection. Am I right ?</P> Mon, 06 Feb 2023 03:17:51 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170395#M28356 Samphas1 2023-02-06T03:17:51Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170397#M28357 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 758px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19454iF4092FDB1B640911/image-size/large?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P><P>* Update picture for last previous question.</P><P>&nbsp;</P> Mon, 06 Feb 2023 03:19:35 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170397#M28357 Samphas1 2023-02-06T03:19:35Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170398#M28358 <P>Detect in this context means it was obsevered and not prevented based on the profile settings.</P> <P>Please expand one of the line/log entries and we can help explain it better for you.</P> <P>(Mask / redact sensitive parts as required).</P> Mon, 06 Feb 2023 04:54:42 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170398#M28358 Chris_Atkinson 2023-02-06T04:54:42Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170404#M28359 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;,</P><P>Could you please check the detail log below picture and&nbsp; help explain .</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anti-Bot-1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19455i8E3427C622FC6389/image-size/large?v=v2&amp;px=999" role="button" title="Anti-Bot-1.png" alt="Anti-Bot-1.png" /></span></P> Mon, 06 Feb 2023 06:54:00 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170404#M28359 Samphas1 2023-02-06T06:54:00Z https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170407#M28360 <P>Reason is that you enabled background classification mode, see sk74120. But this SK is not found...</P> Mon, 06 Feb 2023 07:35:57 GMT https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170407#M28360 G_W_Albrecht 2023-02-06T07:35:57Z