topic Re: IPS Policy in General Topics

IPS Policy

sushantjoshi — Mon, 17 Jun 2024 07:22:41 GMT

I am trying to get my head around IPS Policy.

Firewall I am managing was setup by another guy who is no longer in the company

There are three rules in my existing Custom policy INTERNET_IN_PROFILE , INTERNET_OUT_PROFILE, VPN_IN_PROFILE ( image attached)

There is no protected scope applied with any of these rules but interestingly when I check the logs the first rule (Internet IN - Threat Policy) only prevents/detects IPS in the incoming traffic i.e inbound traffic mainly towards my application.

The second rule only prevents/detects IPS outbound traffic i.e traffic usually generated from my internal network.

There is no scope defined so bit confused about how this is working.

Re: IPS Policy

Lesley — Mon, 17 Jun 2024 07:42:03 GMT

Right click on the dark blue bar and add the missing column like source. Then you will understand the policy

Re: IPS Policy

sushantjoshi — Mon, 17 Jun 2024 10:28:29 GMT

Thank You Lesley and sorry for being a noob on this one.

One more thing how does this rule work ? Match from top to bottom or will the E-1.1 , E1.2 will get bypassed from the Threat Prevention profile and rest of them will get inspected ? Does the Inactive in the Action section refers to not inspect the matching source and destination ?

Re: IPS Policy

the_rock — Mon, 17 Jun 2024 13:27:23 GMT

I dont believe top to bottom approach even matters here, like it would in normal policy rules. Btw, yes, you are correct, inactive means it will NOT inspect/apply to source/dst.

Andy

Re: IPS Policy

Timothy_Hall — Mon, 17 Jun 2024 14:31:11 GMT

Rules E-1.1 and E-1.2 are exceptions that can change the final decision (Inactive, Prevent, Detect) of what to do only if rule 1 is matched. If rule 1 is not matched, E-1.1 and E-1.2 are skipped. Overall in the Threat Prevention layers just the first matching rule is taken, unless there is more than one Threat Prevention policy layer (not common), in which case the first matching rule is selected in all TP layers, and the most stringent action wins unless there is an exception which changes it.

Re: IPS Policy

Lesley — Mon, 17 Jun 2024 18:25:17 GMT

What the guys told me below applies here. Only advise I can give is consider to remove the exceptions because they seem to whitelist a lot. 1.2 is whitelist for traffic TOWARDS internet. So if a hosts connects to a C&C server on internet it will be skipped due the exception and not inspected by for example anti-bot blade.

Re: IPS Policy

sushantjoshi — Tue, 18 Jun 2024 03:02:03 GMT

Hello @Lesley there is an Edge firewall as well and before the packet goes out to the internet it has to be traverse the Edge firewall. We do not want to be using Threat Prevention with same signatures and everything in 2 places and on top of that both of them are Checkpoint

Re: IPS Policy

sushantjoshi — Wed, 19 Jun 2024 04:27:28 GMT

@Timothy_Hall one more thing do we expect to see any logs from those exception ?

Re: IPS Policy

the_rock — Wed, 19 Jun 2024 11:52:31 GMT

Definitely you should get them. I know few customers who use them and we always see the logs. By default, when you create them, logging is enabled.

Andy