topic Re: R80.10 and IPS protections in General Topics

R80.10 and IPS protections

Richard_Lee — Thu, 14 Jun 2018 20:17:11 GMT

We recently updated our management firewalls to R80.10 and since the upgrade we've noticed quite a few of IPS Protection blocks that weren't triggered in our previous gaia version.

Has anyone else seen or experienced this after moving to R80.10? A case was created with Checkpoint and they mentioned that Gaia upgrade to R80.10 has nothing to do with the IPS blade and therefore it isn't the cause.

It just seems odd that all this is occurring after our upgrading our management firewall to R80.10. The gateways are still R77.30.

Any ideas?

Re: R80.10 and IPS protections

PhoneBoy — Fri, 15 Jun 2018 14:28:45 GMT

Which IPS profile are you using?

The default profiles in R77.x (Default, Recommended) are different from the ones in R80.x (Basic, Optimized, Strict).

In terms of protections enabled, it's something like: Default < Basic < Optimized < Recommended < Strict (where Strict has the most protections enabled).

Also a number of changes were made in IPS protections: List of IPS Protections removed in R80.x

Bottom line: entirely possible more protections are active.

Re: R80.10 and IPS protections

Huseyin_Rencber — Fri, 15 Jun 2018 21:13:02 GMT

Did you change your profiles after upgrade ? Check the inspection settings, with R80x some of protection moved from IPS blade to inspection section. In a pre-R80 smardashboard , inspection settings are configured as IPS protections.

Re: R80.10 and IPS protections

Richard_Lee — Wed, 20 Jun 2018 13:23:00 GMT

Hi Dameon,

Thank you for your reply. After reviewing our IPS protections, the profile has not changed. We run the recommended protections and I found that the same protection name "Internet Explorer FTP Response Parsing Memory Corruption MS07-016 CVE-2007-0217:on our other management firewalls are enabled as well, but we don't see the same issue in the R77.30 environment.

I'm might have to follow up with Checkpoint and find out why this is the case. Currently in the environment where we see the issue, we have the management FW at R80.10 and the gateways at R77.30. We have other Management FWs that need to get to R80.10 and I'm going to change the IPS to detect for that specific protection name prior to the upgrade.

It's odd that we started seeing this issue only after the R80.10 upgrade.

Thanks,

Richard

Re: R80.10 and IPS protections

Richard_Lee — Wed, 20 Jun 2018 13:38:22 GMT

The profiles did not change. The protection causing issues is called "Internet Explorer FTP Response Parsing Memory Corruption (MS07-016) CVE-2007-0217. This same protection is enabled on our other locations and we don't see the issues over seas.

Re: R80.10 and IPS protections

PhoneBoy — Wed, 20 Jun 2018 15:23:20 GMT

The underlying parser is different between R77.30 and R80.10, which could account for some difference in behavior.

I recommend engaging with the TAC so we can troubleshoot what's going on.