- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
I am in a situation where the only threat prevention blade my gateways are running is IPS. A custom profile is being used that has had it's IPS protections tweaked over many years and I can't just abandon it and start using another profile like "Optimized".
I need to enable Anti-Bot and Anti-Virus and I want to do so with the "Optimized" profile.
I modified my threat prevention policy so that rule 1 has the "Optimized" profile and only Anti-Bot and Anti-Virus turned on. Rule 2 has only IPS turned on and is using "My Custom IPS" profile.
My thought was that traffic would hit rule 1 and go through ABOT and AV and then continue on to rule 2 for IPS but it doesn't, it stops at rule 1 and this basically turns off IPS for me.
Is there a way I can use different profiles for different blades?
Or if I simply alter the setting(s) of "My Custom IPS" profile by enabling Anti-Bot and Anti-Virus for it and changing the settings to mirror the "Optimized" profile? For example I would change the "Performance Impact" in "My Custom IPS" to "Medium or Lower" to match.
That would probably change the settings on some of my IPS protections but at least I can go look ahead of time and see which ones may be changed when I change settings.
Are the only differences with the out of box profiles the settings such as performance impact, severity, high confidence, etc, or is there more behind the scenes that I can't see?
I have tested the above using both 80.30 and 80.40 with the same results.
As in the Access Control rulebase the Threat Prevention also can only have one hit. You can of course build rules with different protected scopes or source/destination. You can just enable additional blades in the profile with the corresponding severity etc. and there are no differences between the out of the box profiles and newly created one. You also cannot edit those profiles, you can only clone them.
You can however clone your existing profile and keep all custom IPS protections. You would end with two profiles: your "old" IPS only profile and the new profile with every feature you like with your existing IPS protections:
Hi Marcel,
When I clone my existing profile and keep my custom IPS protections the clone that is generated has the performance impact set to high or low just like the original. Are you suggesting that I would change the cloned new one manually to medium or lower?
Yes, that's what I would do. As I said there is no hidden magic behind the out of the box profiles so just changing those parameters will do the trick.
A little-known feature added in R80 is the ability to have more than one Threat Prevention policy. All Threat Prevention policies are evaluated simultaneously, one rule match is found from each, and the most stringent action is applied. What I would do to minimize the impact on your existing configuration is leave your existing TP layer with My Custom IPS only alone, then add a second TP policy layer that references your Optimized AV/ABOT profile. This way the existing IPS implementation is not touched, and any problems that suddenly appear are definitely a result of the new AV/ABOT profile and second TP policy.
Here is an excerpt from my 2021 IPS/AV/ABOT Immersion Video Course that mentions this exact topic and shows an example:
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY