- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Check Point’s Intrusion Prevention System (IPS) is a core component of Threat Prevention, providing proactive protection against a wide range of network threats. Over time, the IPS engine and its signature formats have evolved, leading to the coexistence of "normal" and "version 2 (Ver 2)" signatures. This post explains the technical reasons for maintaining both, their architectural differences, and best practices for deployment.
IPS Architecture Overview
Check Point IPS uses a multi-layered detection engine:
- Passive Streaming Library (PSL): Reconstructs network streams for inspection.
- Protocol Parsers: Identify and separate protocols (HTTP, FTP, DNS, etc.) for context-aware analysis.
- Context Management Infrastructure (CMI): Determines which protections (signatures) apply to each protocol context.
- Pattern Matcher: The detection engine that uses signatures to identify malicious patterns.
IPS Inspection Flow Diagram
Traffic is processed through multiple analysis stages, with signatures applied at different protocol layers.
Normal vs. V2 Signatures: Technical Comparison
| Feature | Normal Signature | V2 Signature (INSPECTv2) |
|---|---|---|
| Detection Engine | Classic Pattern Matcher | INSPECTv2 (advanced engine) |
| Coverage | Known threats | New threats, evasive techniques, improved accuracy |
| Performance | Lower resource usage | May require more CPU/memory, but optimized for accuracy |
| Compatibility | Legacy gateways | Modern gateways (R80+) |
| Update Frequency | Less frequent | Updated regularly |
- Normal Signatures: Use traditional pattern matching, suitable for legacy environments and lower resource consumption.
- V2 Signatures: Leverage the advanced INSPECTv2 engine, supporting complex logic, context awareness, and better detection of modern threats.
Why Maintain Both Signature Types?
- Backward Compatibility: Some older gateways may not support V2 signatures. Keeping both ensures all devices remain protected.
- Redundancy: If a V2 signature causes issues (e.g., false positives), the normal signature can provide fallback protection.
- Gradual Migration: Allows administrators to test V2 signatures in "Detect" mode before fully switching from normal signatures.
- Maximum Coverage: Certain threats may only be detected by one signature type, so using both maximizes security.
Performance Considerations
- V2 signatures can be more resource-intensive due to deeper inspection and advanced logic.
- IPS Tuning: Administrators can enable/disable specific signatures or use different profiles for perimeter vs. internal gateways.
- Bypass Under Load: IPS can be configured to bypass traffic during high load to prevent bottlenecks, but this should be used cautiously.
Best Practices for Managing Signature Versions
- Test in Staging: Always test new V2 signatures in a non-production environment.
- Monitor Updates: Review IPS update notes and apply urgent protections as needed.
- Separate Profiles: Use different IPS profiles for different gateway roles (e.g., perimeter vs. datacenter).
- Monitor Logs: Watch for false positives/negatives and adjust protections accordingly.
- Gradual Rollout: Deploy V2 signatures in "Detect" mode before moving to "Prevent."
Summary
- Normal signatures ensure compatibility and stability.
- V2 signatures provide enhanced detection and future-proofing.
- Maintaining both allows for a safe, flexible, and comprehensive security posture during transitions and upgrades.
References
Hello,
In the best practices for Managing Signature Versions, it is recommended to test V2 signatures in a non-production environment or to deploy them in Detect Mode.
I have a question that may sound a bit silly: how can a “V2 UP signature” be identified in SmartConsole?
In SmartConsole, I could not find any filters that allow sorting by IPS signature version.
And when I view the details of an IPS signature (as in the screenshot below of a recent signature), I cannot find any information indicating whether it is a Normal or V2 signature
Thank you in advance for your insights.
Your question is not silly at all! @constant69 Most people I know don't know how to see that.
A step-by-step guide on how to find version 2 in an IP signature.
You need to open the SmartConsole.
Go to Security Policies.
Then go to Threat Prevention.
Open Custom Policy.
In the lower-right corner, go to IPS Protections.
In the lower-left corner, go to ThreatCloud and select the checkbox.
At that point, you will need to look for the signature where you want to check version 2, or you can use the filter in the upper-left corner to filter by version 2, and you will see all available version 2 signatures.
From this stage, you can take whatever actions you prefer.
| User | Count |
|---|---|
| 29 | |
| 12 | |
| 12 | |
| 8 | |
| 8 | |
| 7 | |
| 7 | |
| 6 | |
| 6 | |
| 5 |
Tue 12 May 2026 @ 10:00 AM (CEST)
The Cloud Architects Series: Check Point Cloud Firewall delivered as a serviceWed 13 May 2026 @ 11:00 AM (EDT)
TechTalk: The State of Ransomware Q1 2026: Key Trends and Their ImpactThu 14 May 2026 @ 07:00 PM (EEST)
Under the Hood: Presentando Check Point Cloud Firewall como ServicioTue 12 May 2026 @ 10:00 AM (CEST)
The Cloud Architects Series: Check Point Cloud Firewall delivered as a serviceTue 19 May 2026 @ 06:00 PM (IDT)
AI Security Masters E8 - Claude Mythos: New Era in Cyber Security
