https://community.checkpoint.com/t5/General-Topics/Customer-FTP-traffic-keeps-triggering-new-IPS-protections/m-p/256200#M43128 <P>Nice to see some people are still using FTP <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>You can actually create a new Threat Prevention profile where Medium Confidence protections are set to Detect:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31332i9667A971574DDCBA/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>Whether you should or not is a separate question.</P> Fri, 29 Aug 2025 13:15:07 GMT PhoneBoy 2025-08-29T13:15:07Z https://community.checkpoint.com/t5/General-Topics/Customer-FTP-traffic-keeps-triggering-new-IPS-protections/m-p/256192#M43126 <P>Hi all,</P><P>We have an issue where a customers FTP traffic (using port range TCP/30200-30220) keeps triggering new IPS protections. So far we have been reactively adding exceptions for each occurrence, but obviously this is not really a sustainable solution. Some of the protections so far triggered are listed below. I notice all of them are Medium confidence, and I did open a TAC case a year or so ago for a similar issue, and they did advise that low/medium confidence protections are susceptible to false positives, and changing them to detect is essentially the best solution. But I worry this creates some security gaps as obviously real occurrences of the attacks can happen and could be missed.</P><P>Could you guys advise how you handle these types of protections, is changing low/medium protections to detect a best practice? The only other thing I can think is to try and grab all of the IP's from our customers systems, and build some wider exception with them, so that all medium protections detect instead of prevent (I am not sure this is possible?)</P><P>&nbsp;</P><TABLE width="810"><TBODY><TR><TD width="376"><P><STRONG>IPS protection:</STRONG></P></TD><TD width="125"><P><STRONG># of incidents</STRONG></P></TD><TD width="142"><P><STRONG>Confidence Level</STRONG></P></TD><TD width="32"><P><STRONG>Severity</STRONG></P></TD><TD width="136"><P><STRONG>Performance Impact</STRONG></P></TD></TR><TR><TD width="376"><P>Internet Explorer FTP Response Parsing Memory Corruption</P></TD><TD width="125"><P>3</P></TD><TD width="142"><P>Medium</P></TD><TD width="32"><P>High</P></TD><TD width="136"><P>High</P></TD></TR><TR><TD width="376"><P>Malicious Payload Encoding Remote Code Execution</P></TD><TD width="125"><P>2</P></TD><TD width="142"><P>Medium</P></TD><TD width="32"><P>High</P></TD><TD width="136"><P>High</P></TD></TR><TR><TD width="376"><P>Tripwire Format String (CVE-2004-0536)</P></TD><TD width="125"><P>1</P></TD><TD width="142"><P>Medium</P></TD><TD width="32"><P>Low</P></TD><TD width="136"><P>Medium</P></TD></TR><TR><TD width="376"><P>VMware Multiple Products NAT Service Buffer Overflow</P></TD><TD width="125"><P>1</P></TD><TD width="142"><P>Medium</P></TD><TD width="32"><P>High</P></TD><TD width="136"><P>Medium</P></TD></TR><TR><TD width="376"><P>Multiple SSH Initial Connection Requests</P></TD><TD width="125"><P>1</P></TD><TD width="142"><P>Medium</P></TD><TD width="32"><P>High</P></TD><TD width="136"><P>Low</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Thanks, I appreciate any feedback!</P> Fri, 29 Aug 2025 12:17:21 GMT https://community.checkpoint.com/t5/General-Topics/Customer-FTP-traffic-keeps-triggering-new-IPS-protections/m-p/256192#M43126 Parabol 2025-08-29T12:17:21Z https://community.checkpoint.com/t5/General-Topics/Customer-FTP-traffic-keeps-triggering-new-IPS-protections/m-p/256200#M43128 <P>Nice to see some people are still using FTP <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>You can actually create a new Threat Prevention profile where Medium Confidence protections are set to Detect:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31332i9667A971574DDCBA/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>Whether you should or not is a separate question.</P> Fri, 29 Aug 2025 13:15:07 GMT https://community.checkpoint.com/t5/General-Topics/Customer-FTP-traffic-keeps-triggering-new-IPS-protections/m-p/256200#M43128 PhoneBoy 2025-08-29T13:15:07Z https://community.checkpoint.com/t5/General-Topics/Customer-FTP-traffic-keeps-triggering-new-IPS-protections/m-p/256201#M43129 <P>My suggestion...do NOT use ftp <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Andy</P> Fri, 29 Aug 2025 13:16:48 GMT https://community.checkpoint.com/t5/General-Topics/Customer-FTP-traffic-keeps-triggering-new-IPS-protections/m-p/256201#M43129 the_rock 2025-08-29T13:16:48Z