This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Richard_Lee
Participant
‎2018-06-14 01:17 PM

R80.10 and IPS protections

We recently updated our management firewalls to R80.10 and since the upgrade we've noticed quite a few of IPS Protection blocks that weren't triggered in our previous gaia version.

Has anyone else seen or experienced this after moving to R80.10? A case was created with Checkpoint and they mentioned that Gaia upgrade to R80.10 has nothing to do with the IPS blade and therefore it isn't the cause.

It just seems odd that all this is occurring after our upgrading our management firewall to R80.10. The gateways are still R77.30.

Any ideas?

5 Replies
PhoneBoy
Admin
Admin
‎2018-06-15 07:28 AM

Which IPS profile are you using?

The default profiles in R77.x (Default, Recommended) are different from the ones in R80.x (Basic, Optimized, Strict).

In terms of protections enabled, it's something like: Default < Basic < Optimized < Recommended < Strict (where Strict has the most protections enabled).

Also a number of changes were made in IPS protections: List of IPS Protections removed in R80.x 

Bottom line: entirely possible more protections are active.

See also: Check Point R80.10 IPS Best Practices 

0 Kudos
Richard_Lee
Participant
‎2018-06-20 06:23 AM
In response to PhoneBoy

Hi Dameon,

Thank you for your reply. After reviewing our IPS protections, the profile has not changed. We run the recommended protections and I found that the same protection name "Internet Explorer FTP Response Parsing Memory Corruption MS07-016 CVE-2007-0217:on our other management firewalls are enabled as well, but we don't see the same issue in the R77.30 environment. 

I'm might have to follow up with Checkpoint and find out why this is the case. Currently in the environment where we see the issue, we have the management FW at R80.10 and the gateways at R77.30. We have other Management FWs that need to get to R80.10 and I'm going to change the IPS to detect for that specific protection name prior to the upgrade.

It's odd that we started seeing this issue only after the R80.10 upgrade.

Thanks,

Richard

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-20 08:23 AM
In response to Richard_Lee

The underlying parser is different between R77.30 and R80.10, which could account for some difference in behavior.

I recommend engaging with the TAC so we can troubleshoot what's going on. 

Huseyin_Rencber
Collaborator
‎2018-06-15 02:13 PM

Did you change your profiles after upgrade ? Check the inspection settings, with R80x some of protection moved from IPS blade to inspection section. In a pre-R80 smardashboard , inspection settings are configured as IPS protections.

Richard_Lee
Participant
‎2018-06-20 06:38 AM
In response to Huseyin_Rencber

The profiles did not change. The protection causing issues is called "Internet Explorer FTP Response Parsing Memory Corruption (MS07-016) CVE-2007-0217. This same protection is enabled on our other locations and we don't see the issues over seas. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events