This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scott_Paisley
Advisor
3 hours ago

AIOps alerts and penalty box configuration

Hi

We recently enabled AIOps. We are now getting ferequenst alerts of the following type

Rulebase drop spike caused by a burst of blocked traffic not a policy or gateway fault.

Rulebase drops rose sharply at 19:33Z and stayed very high for about 20 minutes with no policy change. This points to a burst of unwanted traffic correctly blocked by existing rules not a gateway failure.

Recommendations:

  • Implement SecureXL-based DoS defenses including Rate Limiting rules and Penalty Box to block abusive traffic earlier. (sk112241)

 

We understand this is due to scanning activity directed against standby members in our gateway clusters, and all the traffic is dropped by existing rules, but we followed the recommendations to enable the penalty box and are still seeing these alerts.

Is there an optimal set of penalty box paramaters that would catch this traffic and prevent the AIOps alert from triggering?

Thanks

0 Kudos
3 Replies
Lesley
MVP Gold
MVP Gold
2 hours ago

Please share pbox configuration so I can have a look. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Scott_Paisley
Advisor
2 hours ago
In response to Lesley

Penalty Box:
Status on
Internal Interfaces off
Monitor-Only off
Log Drops on
Max Notifications Per-Second 100 logs/second
Send TCP Reset off
Timeout for Blocked IPs 180 seconds
Has Blocked IPs no
Log when a new IP is blocked on
Drop rate to trigger on 500 packets/second

0 Kudos
Lesley
MVP Gold
MVP Gold
51m ago
In response to Scott_Paisley

Please check my white paper on this topic:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/Step-by-step-guide-for-penalty-...

Check if you see penatly box becomes active in Smart Console, any drops? Does AIops tell you the ip is doing this? Does this refelect in the penalty box logs?

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events