This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sajin
Contributor
‎2019-05-20 12:24 PM

IPS Blade is preventing but not enabled

I enabled Threat Prevention Blade and later disabled all Threat Prevention Blades from Policies and Layers and General properties of the Firewall but could see IPS  and AB traffic in the logs which is DETECT and PREVENT. In SSH , "enabled_blades" it doesn't show the Threat Prevention Blades. The logs shows the OPTIMIZED profile is being blocked but there is no Threat Prevention in the policies. When i click OPTIMIZE profile in the log it takes me to READ ONLY MODE where in the Threat Prevention i could see the OPTIMIZED profile is enabled with all Blades. 

Closed the READ ONLY page and enabled back the THREAT PREVENTION Blade with IPS, AV, AB and  created a new profile disabling all the Blades and installed policy. Later again disabled Threat Prevention. Now am not able to see any Threat prevention Logs.

In the CPVIEW i could see the Threat prevention Blades enabled but not in "enabled_blades". Myself stimulated the same scenario in a VM and ended up with the same situation.

Kindly assist whether the IPS Blades will inspect traffic based on the Blades enabled in the General profile or profile inside the Threat prevention.

Firewall- R80.10

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-05-20 01:49 PM

If you've disabled the blades in the General Properties of the relevant gateway object, then the blades should not be active irrespective of the Threat Prevention profile assigned.
For any of these changes to take effect, the policy must be pushed to the relevant gateway.
For R80.x gateways, you can push just the Threat Prevention profile.
For R77.x gateways with IPS, you also need to push the Access Control policy.
0 Kudos
Timothy_Hall
Champion
Champion
‎2019-05-20 03:23 PM

What is being enforced is probably the "Inspection Settings" part of the Access Control policy on your R80.10 gateway.  These will be enforced separate from any part of Threat Prevention, have you checked there?  Inspection Settings used to part of IPS in R77.30 which can be a bit confusing...

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫