- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi all,
I am currently working on an optimization of our IPS configuration.
We started with IPS in Version R77, so every Firewall Gateway got its own IPS profile. For reducing false postitives or disabling IPS on irrelevant network traffic, so far, we have defined Exceptions either for a single protection or for the hole IPS blade (if necessary).
After the update to R80, we got the recommendation to use different profiles in separate Threat Prevention Rules within a firewall gateway to increase performance (especially of the gateway, but also for the application and the correspondent network traffic).
My first thought was, that it would be useful to build an IPS Profile based on the used protocol. For example to create a specific IPS profile for e.g. incoming SSL traffic with a small amount of relevant protections, which I use in a separate Threat Prevention Rules.
After reading Secure Knowledge sk95193: ATRG IPS, I am not sure, if this is a method to increase performance effectively.
Quote: "The Context Management Infrastructure (CMI) is the "brain" of the IPS. It coordinates different components, decides which protections should run on a certain packet, decides the final action to be performed on the packet and issues an event log (.....) CMI is a way to connect and manage parsers and protections. Since they are separated, protections can be added in updates, while performance does not depend on the number of active protections."
In my opinion, it seems that an separate profile for e.g. SSL or other known protocols (HTTP, SMTP,..) isn't an appropriate way to decrease cpu usage, because the amount of protection isn't relevant. Is this the right conclusion?
So for me, what would be a use case for separate IPS profiles? Just for activate additional blades like ABOT or Threat Emulation? What is an effective method to increase performance of a firewall gateway with IPS instead, without diabling IPS for a specific communication.
Best regards
Jens
Now that you use r80 I can recommend you to take a look st Tailored Safe Profile which is described in the sk164812.
performance wise you are moving from detect to prevent. The firewall will not spend more necessary cpu to run Detection mode and it will reduce while ips are in prevent.
i have only had possible experience with it.
This is covered in the third edition of my book and my IPS Immersion Video Series; basically I recommend using different IPS-enabled profiles taking into consideration the network speeds and trust levels involved. Examples:
1) IPS Profile for traffic to/from the Internet - High Level of Enforcement and High Impact, but performance impact is muted by limited Internet bandwidth (at least compared to LAN speeds).
2) IPS Profile for traffic to/from DMZs & Internal Networks - Medium Level of Enforcement and Medium Impact; potentially use a special "null" IPS profile for known trusted high-speed traffic (like backups or perhaps replications) or use the fast_accel SecureXL feature for this purpose.
3) IPS Profile for Internal to Internal networks - Lower Level of enforcement with low/medium impact due to the LAN speeds involved, especially if 10 Gbps or faster.
Obviously in any profile it is desirable to limit the use of IPS protections with a Performance Impact rating of "Critical" (and to a lesser degree "High") as much as possible especially in IPS Profile #3 above, as they will strongly impact the acceleration level of the inspected traffic. In general the Performance Impact rating of an IPS protection indicates the following acceleration levels:
- Protections with a “Very Low” or “Low” Performance Impact are processed 100% in the Accelerated Path (SXL)
- Protections with a “Medium” Performance Impact are processed at least 90% in the PSLXL Path
- Protections with a “High” Performance Impact appear to be processed about 50% in the PSLXL Path and about 50% in the CPASXL Path (Note that all imported SNORT IPS signatures are automatically assigned this ranking and are therefore ineligible for handling in the Accelerated Path)
- Protections with a “Critical” Performance Impact are processed 100% in the CPASXL and Firewall Paths (F2F)
Finally, leaving an IPS protection set in Detect mode causes much more overhead in the Firewall than setting it to Inactive or even Prevent; a flagrantly bad example is an IPS protection set to Detect with logging for it disabled. Fortunately there have been some great tools introduced recently to assist with getting IPS protections out of Detect mode in a streamlined, automated fashion.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 19 | |
| 8 | |
| 6 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 2 |
Thu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealThu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASETue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeThu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY