This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sushantjoshi
Contributor
‎2024-06-17 12:22 AM
Jump to solution

IPS Policy

I am trying to get my head around IPS Policy.

Firewall I am managing was setup by another guy who is no longer in the company

There are three rules in my existing Custom policy INTERNET_IN_PROFILE , INTERNET_OUT_PROFILE, VPN_IN_PROFILE ( image attached)

IPS-POLICY.png

There is no protected scope applied with any of these rules but interestingly when I check the logs the first rule (Internet IN - Threat Policy) only prevents/detects IPS in the incoming traffic i.e inbound traffic mainly towards my application.

The second rule only prevents/detects IPS outbound traffic i.e traffic usually generated from my internal network.

There is no scope defined so bit confused about how this is working.

 

 

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2024-06-17 12:42 AM
Jump to solution

Right click on the dark blue bar and add the missing column like source. Then you will understand the policy

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

(1)
the_rock
MVP Platinum
MVP Platinum
‎2024-06-17 06:27 AM
In response to sushantjoshi
Jump to solution

I dont believe top to bottom approach even matters here, like it would in normal policy rules. Btw, yes, you are correct, inactive means it will NOT inspect/apply to source/dst.

Andy

Best,
Andy

View solution in original post

(1)
8 Replies
Lesley
MVP Gold
MVP Gold
‎2024-06-17 12:42 AM
Jump to solution

Right click on the dark blue bar and add the missing column like source. Then you will understand the policy

-------
Please press "Accept as Solution" if my post solved it 🙂
(1)
sushantjoshi
Contributor
‎2024-06-17 03:28 AM
In response to Lesley
Jump to solution

Thank You Lesley and sorry for being a noob on this one.

One more thing how does this rule work ? Match from top to bottom or will the E-1.1 , E1.2 will get bypassed from the Threat Prevention profile and rest of them will get inspected ? Does the Inactive in the Action section refers to not inspect the matching source and destination ? 

 

IPS-EXCEPTION.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-17 06:27 AM
In response to sushantjoshi
Jump to solution

I dont believe top to bottom approach even matters here, like it would in normal policy rules. Btw, yes, you are correct, inactive means it will NOT inspect/apply to source/dst.

Andy

Best,
Andy
(1)
Timothy_Hall
MVP Gold
MVP Gold
‎2024-06-17 07:31 AM
In response to sushantjoshi
Jump to solution

Rules E-1.1 and E-1.2 are exceptions that can change the final decision (Inactive, Prevent, Detect) of what to do only if rule 1 is matched.  If rule 1 is not matched, E-1.1 and E-1.2 are skipped.  Overall in the Threat Prevention layers just the first matching rule is taken, unless there is more than one Threat Prevention policy layer (not common), in which case the first matching rule is selected in all TP layers, and the most stringent action wins unless there is an exception which changes it.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
Lesley
MVP Gold
MVP Gold
‎2024-06-17 11:25 AM
In response to sushantjoshi
Jump to solution

What the guys told me below applies here. Only advise I can give is consider to remove the exceptions because they seem to whitelist a lot. 1.2 is whitelist for traffic TOWARDS internet. So if a hosts connects to a C&C server on internet it will be skipped due the exception and not inspected by for example anti-bot blade. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
sushantjoshi
Contributor
‎2024-06-17 08:02 PM
In response to Lesley
Jump to solution

Hello @Lesley  there is an Edge firewall as well and before the packet goes out to the internet it has to be traverse the Edge firewall. We do not want to be using Threat Prevention with same signatures and everything in 2 places and on top of that both of them are Checkpoint

0 Kudos
sushantjoshi
Contributor
‎2024-06-18 09:27 PM
In response to sushantjoshi
Jump to solution

@Timothy_Hall one more thing do we expect to see any logs from those exception ? 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-19 04:52 AM
In response to sushantjoshi
Jump to solution

Definitely you should get them. I know few customers who use them and we always see the logs. By default, when you create them, logging is enabled.

Andy

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events