This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Eikkichi
Explorer
Thursday

Log for IPS but with a Drop rule for exact source IP

Hi,


Im trying to get some info regarding the process of incoming traffic , What blades it follows . 

According to Chat if its correct : 

For an incoming packet on a Check Point Security Gateway, the blades are typically processed in the following order: first, anti-spoofing and then the Security Policy (which includes Application Control, URL filtering, and Content Inspection). If the connection is accepted, Threat Prevention (including Antivirus, IPS, and other features) is applied. TLS/SSL Inspection may occur before or during the Security Policy inspection depending on configuration.
Here's a breakdown of the typical order:
1. Anti-Spoofing:
The first check is to prevent spoofed IP addresses from entering the network.
2. Security Policy:
This is the main set of rules that determines whether traffic is allowed or denied.
TLS/SSL Inspection (Conditional): If TLS/SSL Inspection is enabled on the gateway, it's applied at this stage, before or during the main security policy inspection.
Application Control, URL Filtering, Content Inspection: These blades are part of the Security Policy and inspect the traffic for allowed applications, web sites, and specific content.
3. Threat Prevention:
If the traffic is accepted by the Security Policy, it then moves to the Threat Prevention stage.
Antivirus (AV), IPS, etc.: This includes features like Intrusion Prevention System (IPS) and other threat detection and prevention mechanisms.
Key Considerations
Configuration Dependent:
The exact order can vary based on the specific features enabled and how they are configured in your Security Policy and blade settings.
Firewall Policy:
The Security Policy is where you define the rules for accepting or blocking traffic based on various criteria.
f-monitor:
You can use the fw monitor tool to see the actual inspection points for incoming traffic (e.g., i for pre-inbound, I for post-inbound).


There is a security Policy with a source IP : dst : Any : all ports drop.


But we see that IP in the IPS Log with a prevent .

Why would we see this IPS log and not a drop.

0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events