Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Reinaldo_Fernan
Contributor

Scan events

Hello All,

I'm looking for some help with the following, we had a scan event on one of our SFTP edges, which uses the Check Point as it's gateway. No data exfiltration or lateral movement has been detected.

Below an example of scan in question:

 

We are looking for a possible solution on this, something like adding a dynamic blacklist, or "timeout". For example if an IP has 3+ IPS protect triggers within 5 minutes, it is automatically added to a blacklist for 7 days or indefinitely.

I'm not aware if the IPS module is able to perform such operation and as a possible solution we are considering to get a license for Smart Event, and get something like the below config:

If you have any other ideas that would be much appreciated.

Many Thanks. 

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend

I would suggest to start by studying sk103154: How to block traffic coming from known malicious IP addresse - you will find further references there. For R80.20, there even is a new feature: R80.20 - IP blacklist in SecureXL.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Reinaldo_Fernan
Contributor

Hello,

Thank you for the details provided.

What we are looking is not to have a block of traffic coming from known malicious IPs, but for some sort of dynamic configurations where we can setup thresholds and once there is an incident this traffic gets dropped.

I think smart event looks quite similar of what we are looking for:

0 Kudos
G_W_Albrecht
Legend
Legend

What you need is refered to there, i think of How to configure Rate Limiting rules for DoS Mitigation

CCSE CCTE CCSM SMB Specialist
0 Kudos
Anthony_Nguyen
Employee
Employee

Reinaldo_Fernan
Contributor

Thank you for your reply.

We don't want to change the IPS policy to detect as this will just work as IDS and not IPS. The idea is to setup a threshold, so if we see a 3 scan attempts from a source it would automatically block it.

0 Kudos
Alex_Weldon
Contributor

I would recommend taking a look at sk74520 -  SecureXL penalty box. Also, if you are interested in folding in some dynamic blocking in addition to this, take a look at https://opendbl.net - Lists are updated every 12 hours and provides another layer of protection.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events