Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Oguz_YILMAZ
Participant

What is the exact time to be able to obtain IPS signature updates after they released?

Hi everyone,

My question is about IPS signature updates. As you know "Oracle WebLogic WLS Core Component Remote Code Execution (CVE-2018-2628)" vulnerability was published four days ago and I got informed via e-mail from Checkpoint. Although I regularly check IPS signature updates, this and an additional couple of updates appeared on our management server just today. Do you know the reason? Is it possible to accelerate or trigger to obtain immediately freshly released IPS signature updates?

8 Replies
PhoneBoy
Admin
Admin

We tend to publish updated IPS signatures several times a week.

However, I don't believe we send out mails every time we do so.

You can schedule downloads of the IPS signatures and the required threat policy installation in SmartConsole:

(Clearly, I should also configure this option Smiley Happy)

Note R80.20 Gateways are expected to have an option allowing automatic fetching of latest signatures without an explicit or scheduled policy installation.

0 Kudos
Oguz_YILMAZ
Participant

Hi Dameon,

Thank you for your interest. What I am asking is that as you publish the IPS updates, mostly we get this updates a few days later. Until we get an update which is published a couple days ago, we may not be protected and open to vulnerabilities. Is it possible to get the update notification as soon as you publish the signatures? Do you prioritize your customers based on some kind of types such as geolocation etc. to be able to protect your update servers from excessive requests?

0 Kudos
PhoneBoy
Admin
Admin

If you configure automatic updates and threat policy installation as described above, you'll always have the most recent signatures applied to your gateways, whether or not they are mentioned in the IPS-NEWS emails.

The signatures are distributed via CDN, so there may be a delay from when we publish to when they are available to you.

0 Kudos
PhoneBoy
Admin
Admin

I followed up with some folks in the IPS team.

It turns out we actually do send out emails every time the signatures are updated to the IPS-NEWS mailing list.

We send these emails immediately after pushing, though emails may be delayed for various reasons outside our control.

If you see an IPS update and didn't get an email about it, please let us know so we can troubleshoot.

0 Kudos
Oguz_YILMAZ
Participant

Actually, the main issue is not getting an email about IPS update. I get an email about IPS update but I do not see the available update within a short time on my management server which configured already as you stated above. If Checkpoint or the other security companies or the communities related cybersecurity aware and inform about a vulnerability, and let's say Checkpoint take necessary measures for that specific vulnerability and published the protection via IPS signature update, the delay can be annoying. Security is the main concern nowadays, and the delays take around 3-4 days is unacceptable for me. 

The same situation draws attention to another member of Checkmates community (Oracle Web logic Server WLC Vulnerability ). For this member, it lasted only one day which was 4 days for me.

Maybe a couple hours after e-mail notification, if the IPS update is not available for me, I should download offline updates if possible. Would you mind sharing with me where can I download the offline updates?

0 Kudos
PhoneBoy
Admin
Admin

Offline updates require agreeing to a specific EULA, which your local account team can assist with.

As for the delay in receiving updates, I will check offline how we can troubleshoot this and contact you privately.

0 Kudos
PhoneBoy
Admin
Admin

Actually, scratch that.

Please open a ticket with the TAC so we can troubleshoot why you're not getting the updates within, say, a couple hours of the email going out.

Contact Support | Check Point Software 

0 Kudos
Oguz_YILMAZ
Participant

Thank you Dameon for your concern. Tomorrow we are going to open a ticket. I hope we can understand the reason and solve this issue with your great effort.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events