IPS exception for pre R80 gateways with R80 SMS

Maik · ‎2018-09-05

Hello guys,

I have a question regarding the IPS exception possibilites for threat prevention profiles within a R80 SMS that is applied to pre R80 gateways. To be precise; the gateways in this case are running R76.50 (scalable platform release). As far as I've seen it is only possible to configure exceptions in the threat prevention exceptions tab - and here I realized that the action for any exceptions that need to be applied to pre R80 gateways is "inactive". But with that in place I am not able to see anything in my logs as IPS checking is just not done on the specific traffic described in the threat prevention exception rule. Now my question is - am I missing something or is there really no chance to configure "detect", so that IPS logs are still being received for the exception? I personally do not want to just ignore it in the first place. My plan is to have the SIEM team check whether its a false positive (during this time I want the detect option) and after confirming the false positive its fine for me to just set the action to "inactive".

Thanks in advance for any advices!

Best regards,

Maik

G_W_Albrecht · ‎2018-09-05

As the name already hints to, an IPS exception excludes traffic from IPS. IPS set to detect consumes the same ressources as when in protect mode, so it makes no sense to detect anything except in the first weeks of getting IPS into production.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Maik · ‎2018-09-05

Hello Günther,

Thanks for your reply. I understand IPS exceptions in the way that you have some kind of exclusion (differences) regarding the standard profile settings for specific traffic/signatures. Not in the way, that this automatically means you want to exclude such traffic completely from the IPS point of view.

That being said, I think it makes sense to detect something in this case as we are performing a restructure of the network (for some parts) and therefore need the detect just for specific sources, destinations & signatures. As these aren't that many hosts a new profile does not make much sense (which could have been another option).

G_W_Albrecht · ‎2018-09-06

You seem to understand IPS exceptions in a wrong way 😞 this is used for traffic that shall not be inspected at all by IPS (only very basic testing, e.g. Anti-Spoofing is performed in fw chain). If you need to detect traffic, use a special profile for this kind of traffic to make it work and log in detect mode.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Maik · ‎2018-09-06

Hm, I am wondering why there is the possibility for R80.x gateways to have the options of "inactive", "detect", "prevent" and "ask" within the exception action settings then. Nevertheless, thanks for the information regarding the impact on the fw chain and what is still done after specifying an exception - was not aware of that.

G_W_Albrecht · ‎2018-09-06

The options of "inactive", "detect", "prevent" and "ask" within the exception action settings - I can not see that here:

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Maik · ‎2018-09-06

I am talking about the exception policy settings right below the actual threat prevention policies within the SmartConsole. [The hosts and rule shown in the screenshot are based on a cloud demo session]

Edit: Am I missing something? If yes, what exactly?

PhoneBoy · ‎2018-09-07

This exception does not apply for pre-R80 gateways.

The exceptions you configure in the threat prevention exceptions tab are for excluding traffic from IPS entirely, not applying a different action to the traffic.

R80.x gateways have significantly more flexibility with regards to IPS profiles, exceptions, and so on.

Are you a member of CheckMates?

IPS exception for pre R80 gateways with R80 SMS