This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Reinaldo_Fernan
Contributor
‎2018-11-02 03:24 AM

Scan events

Hello All,

I'm looking for some help with the following, we had a scan event on one of our SFTP edges, which uses the Check Point as it's gateway. No data exfiltration or lateral movement has been detected.

Below an example of scan in question:

 

We are looking for a possible solution on this, something like adding a dynamic blacklist, or "timeout". For example if an IP has 3+ IPS protect triggers within 5 minutes, it is automatically added to a blacklist for 7 days or indefinitely.

I'm not aware if the IPS module is able to perform such operation and as a possible solution we are considering to get a license for Smart Event, and get something like the below config:

If you have any other ideas that would be much appreciated.

Many Thanks. 

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-11-02 04:00 AM

I would suggest to start by studying sk103154: How to block traffic coming from known malicious IP addresse - you will find further references there. For R80.20, there even is a new feature: R80.20 - IP blacklist in SecureXL.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Reinaldo_Fernan
Contributor
‎2018-11-02 04:20 AM
In response to G_W_Albrecht

Hello,

Thank you for the details provided.

What we are looking is not to have a block of traffic coming from known malicious IPs, but for some sort of dynamic configurations where we can setup thresholds and once there is an incident this traffic gets dropped.

I think smart event looks quite similar of what we are looking for:

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-11-02 05:47 AM
In response to Reinaldo_Fernan

What you need is refered to there, i think of How to configure Rate Limiting rules for DoS Mitigation

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Anthony_Nguyen
Employee
Employee
‎2018-11-02 06:22 AM

You can prevent this with sk110873 - How to configure Security Gateway to detect and prevent scan

Reinaldo_Fernan
Contributor
‎2018-11-02 06:58 AM
In response to Anthony_Nguyen

Thank you for your reply.

We don't want to change the IPS policy to detect as this will just work as IDS and not IPS. The idea is to setup a threshold, so if we see a 3 scan attempts from a source it would automatically block it.

0 Kudos
Alex_Weldon
Contributor
‎2018-11-02 07:07 AM

I would recommend taking a look at sk74520 -  SecureXL penalty box. Also, if you are interested in folding in some dynamic blocking in addition to this, take a look at https://opendbl.net - Lists are updated every 12 hours and provides another layer of protection.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events