cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.10 and IPS protections

We recently updated our management firewalls to R80.10 and since the upgrade we've noticed quite a few of IPS Protection blocks that weren't triggered in our previous gaia version.

Has anyone else seen or experienced this after moving to R80.10? A case was created with Checkpoint and they mentioned that Gaia upgrade to R80.10 has nothing to do with the IPS blade and therefore it isn't the cause.

It just seems odd that all this is occurring after our upgrading our management firewall to R80.10. The gateways are still R77.30.

Any ideas?

5 Replies
Admin
Admin

Re: R80.10 and IPS protections

Which IPS profile are you using?

The default profiles in R77.x (Default, Recommended) are different from the ones in R80.x (Basic, Optimized, Strict).

In terms of protections enabled, it's something like: Default < Basic < Optimized < Recommended < Strict (where Strict has the most protections enabled).

Also a number of changes were made in IPS protections: List of IPS Protections removed in R80.x 

Bottom line: entirely possible more protections are active.

See also: Check Point R80.10 IPS Best Practices 

0 Kudos

Re: R80.10 and IPS protections

Hi Dameon,

Thank you for your reply. After reviewing our IPS protections, the profile has not changed. We run the recommended protections and I found that the same protection name "Internet Explorer FTP Response Parsing Memory Corruption MS07-016 CVE-2007-0217:on our other management firewalls are enabled as well, but we don't see the same issue in the R77.30 environment. 

I'm might have to follow up with Checkpoint and find out why this is the case. Currently in the environment where we see the issue, we have the management FW at R80.10 and the gateways at R77.30. We have other Management FWs that need to get to R80.10 and I'm going to change the IPS to detect for that specific protection name prior to the upgrade.

It's odd that we started seeing this issue only after the R80.10 upgrade.

Thanks,

Richard

0 Kudos
Admin
Admin

Re: R80.10 and IPS protections

The underlying parser is different between R77.30 and R80.10, which could account for some difference in behavior.

I recommend engaging with the TAC so we can troubleshoot what's going on. 

Re: R80.10 and IPS protections

Did you change your profiles after upgrade ? Check the inspection settings, with R80x some of protection moved from IPS blade to inspection section. In a pre-R80 smardashboard , inspection settings are configured as IPS protections.

Re: R80.10 and IPS protections

The profiles did not change. The protection causing issues is called "Internet Explorer FTP Response Parsing Memory Corruption (MS07-016) CVE-2007-0217. This same protection is enabled on our other locations and we don't see the issues over seas. 

0 Kudos