This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cyberluke365
Contributor
‎2026-04-29 03:49 PM

IP Reputation exception is not working

Hello Mates!!!

I'm trying to bypass an Anti-Bot IP Reputation Prevent on a specific IP address, but no exception I configure seems to take effect. Hoping someone has seen this behavior before.

Environment: R81.20

Problem
In SmartConsole logs I see Prevent entries from blade Anti-Bot, Protection Type IP Reputation, against destination 13.107.138.10 - a Microsoft IP belonging to subnet 13.107.136.0/22, which is part of the Office 365 Services Updatable Object (verified by checking the office365.C file on the gateway).

The matched rule is IPS.TO Internet (corresponding to Threat Prevention policy).

IP Reputation.png

Since this IP is in a Microsoft-published range I want to also exclude it from Anti-Bot IP Reputation enforcement.

What I tried
I configured a Global Exception below:

  • Protected Scope: Any
  • Source: Any
  • Destination: 13.107.138.10
  • Protection/Site/File/Blade: Anti-Virus, IPS, Anti-Bot
  • Action: Inactive
  • Track: Log

The log still shows Prevent. The Matched Rules tab in the log details shows only the parent rule IPS.TO Internet - no reference to the exception.
I then tried this additional configuration, with the same result (no match): Action set to Detect instead of Inactive (based on the suggestion in this thread: IPS exception not working  
The policy was properly installed via Install Policy -> Threat Prevention.

My Questions

  1. Is there something specific about how Anti-Bot IP Reputation handles exceptions that I'm missing? Does IP Reputation enforcement happen at a different level than the standard Threat Prevention policy evaluation, bypassing exceptions altogether?
  2. Has anyone successfully bypassed an Anti-Bot IP Reputation Prevent on a specific destination via Threat Prevention exceptions in R81.20? If so, what was the working configuration?

Any guidance is much appreciated. Screenshots attached.

Thank you

8 Replies
cRealix
Participant
‎2026-04-30 01:00 AM

We are experiencing the same issue when trying to bypass Anti-Bot IP Reputation for part of a non-Microsoft website. Unfortunately, we have not been able to exclude the IP address in any way.

On our gateway, Threat Prevention is configured in Autonomous Policy mode.

Thank you.

0 Kudos
cyberluke365
Contributor
‎2026-04-30 01:59 AM
In response to cRealix

Hello,
considering the operating logic of the Threat Prevention component, I could assume bypassing the issue by creating a new Profile, excluding the IP Reputation protection for it
(https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...).

After that, I could create a custom rule for the affected traffic and apply the previously created profile to that rule.

Maybe it would work but I'd like to have your thoughts about this topic.

0 Kudos
cRealix
Participant
‎2026-04-30 02:59 AM
In response to cyberluke365

Hello, Thank you for the idea.

but in Threat Prevention, Autonomous Policy mode you cannot change the profile of the gateway.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-04-30 01:56 AM

Is the IP part of an IOC feed you have configured? Is there more information in the log card that might help here?

0 Kudos
cyberluke365
Contributor
‎2026-04-30 02:29 AM
In response to emmap

Hello @emmap,

no, it doesn’t appear that an IoC is involved here:

IP Reputation-01.png

When IoC is involved, it is reported in log (Indicator Name)

IP Reputation-02.png

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2026-04-30 03:23 AM
In response to cyberluke365

Did you already try the exception option from the log card itself?

CCSM R77/R80/ELITE
0 Kudos
cyberluke365
Contributor
‎2026-04-30 04:40 AM
In response to Chris_Atkinson

Yep, but I get the error: “Failed to add exception.

Where would the exception be added when it is performed from the card?

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-04-30 06:52 PM
In response to cyberluke365

OK. The reason I asked is that the IOC blocks are done in SecureXL and as such are not processed in the policy so exceptions don't match. This might be the case for the basic IP Reputation as well but I can't say for sure. Might be one for TAC to get to the bottom of.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events