This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2025-06-11 08:50 AM

TP - Best Practices

Hello, Mates.

In VSX environments, the recommendation regarding enabling Threat Prevention Blades on all the VS's you have, is always going to depend on how ‘robust’ your main VSX box is?

Does enabling Threat Prevention “force” you to also enable HTTPS Inspection on your VS's or is this always optional?

Thanks for your recommendations.

0 Kudos
10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-06-11 09:11 AM

Hey bro,

I always tell people to follow this mentality "When in doubt, always leave default settings". If then, you notice any issues, you can tailor it as needed.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-06-11 11:17 AM

You only enable IPS on VS0 for updates not to protect VS0. VS0 is for mgmt purpose 

Should I enable IPS Software Blade on the VSX Gateway?

You must enable and configure the IPS Software Blade in these objects:

  1. VSX Gateway or VSX Cluster (because VS0 handles contract validation for all Virtual Systems).

  2. Applicable Virtual Systems.

 

To enable Anti-Bot, Anti-Virus, or IPS on Virtual Systems

Important:

Make sure the routing, DNS, and proxy settings for the VSX GatewayClosed or VSX ClusterClosed Members (VS0) are configured correctly.

You must enable and configure the Software Blades in these objects:

VSX Gateway or VSX Cluster (because VS0 handles contract validation for all Virtual Systems).

Applicable Virtual Systems.

Make sure the VSX Gateway or VSX Cluster and the applicable Virtual Systems can connect to the Internet.

Virtual Systems get updates through the VSX Gateway or VSX Cluster (VS0).

If the VSX Gateway or VSX Cluster fails to connect, each Virtual SystemClosed uses its proxy settings to get the updates from the Internet.

 

 

Regarding HTTPS inspection. Now you can run IPS without but you don't get the full inspection. The firewall cannot inspect traffic that is encrypted. Most traffic now is encrypted so it is quite important. 

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-06-11 11:28 AM
In response to Lesley

To enable IPS/AB/AV blades, there are 2 ways?

Because I know people who enable these blades ‘Instance by Instance’ (VS x VS), but according to your explanation, I understand that I can enable the blades from the box as such (VS0) and this should ‘Replicate’ on all my VS's?

Is that the logic?

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-06-11 11:34 AM
In response to Matlu

If you want to use IPS on a VS you always enable it on VS0 and any other VS that you want to run IPS.

For example

VS0: IPS

VS1:No ips because internal fw

VS2: IPS enabled

You can attach a IPS profile on each VS, also VS0

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-06-11 12:17 PM
In response to Lesley

Does the IPS recommendation also apply to other blades, such as AB and AV?

 

Or AV/AB can be enabled on the VS's one needs, without the need to enable it also on VS0?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-11 12:56 PM
In response to Matlu

Yes, AB/AV should only be enabled on VSes where it is required.
Traffic is checked via ThreatCloud, so the VS needs Internet access.

Matlu
MVP Silver
MVP Silver
‎2025-06-11 03:49 PM
In response to PhoneBoy

In general terms, does Threat Prevention make sense to be used in FW or VS's that have Internet access?

Because these blades, enabling them in FW that do not have Internet access, would not make sense, right?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-06-11 03:53 PM
In response to Matlu

Personally bro, at least in my logical opinion, it makes total sense to use those blades on VS with Internet access and NOT use them on ones that dont have it. Its literally same method for regular quantum fws and truth be told, pretty much applies to any fw vendor out there.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-06-12 12:38 AM
In response to Matlu

Yes also needed on VS0

Anti-Bot and Anti-Virus

Click Here to Show This Section
-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-06-11 04:49 PM

HTTPS is not mandatory for TP but what the blades can see is limited to clear traffic without it same as any gateway.

IPS and TEX are the two blades I believe must be enabled also on VSO if to be used on other VS.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events