This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ravoth
Participant
‎2021-03-22 02:00 AM
Jump to solution

What's different meaning of Redirect, Detect, Drop, Block and Prevent?

Hello Everyone,

 

We are not clear with a different meaning on the keyword in Check Point such as Redirect, Detect, Drop, Block, and Prevent. Could you help to explain that keyword?

Thank you in advance!

Ravoth
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-03-22 06:08 AM
Jump to solution

Detect and Prevent relate to the various Threat Prevention blades.
Prevent means block malicious traffic according to the configured Threat Prevention profile/settings.
Detect flags such traffic the logs but does not impede.
Redirect relates to UserCheck messages in logs (i.e. instead of seeing the webpage you desire, you are redirected to a Captive Portal).
Drop usually applies to Access Policy and means traffic does not get passed by the gateway.
Block is basically the same thing.

Context matters in all of the above, but that’s their general meaning.

View solution in original post

7 Replies
_Val_
Admin
Admin
‎2021-03-22 02:20 AM
Jump to solution

Context is important. Are you talking about certain specific blades? Also, did you read documentation and/or searched this community before asking this question?

0 Kudos
Ravoth
Participant
‎2021-03-22 06:21 PM
In response to _Val_
Jump to solution

Thank you for your answer!

We already searched on that keyword, but not found.

Ravoth
PhoneBoy
Admin
Admin
‎2021-03-22 06:08 AM
Jump to solution

Detect and Prevent relate to the various Threat Prevention blades.
Prevent means block malicious traffic according to the configured Threat Prevention profile/settings.
Detect flags such traffic the logs but does not impede.
Redirect relates to UserCheck messages in logs (i.e. instead of seeing the webpage you desire, you are redirected to a Captive Portal).
Drop usually applies to Access Policy and means traffic does not get passed by the gateway.
Block is basically the same thing.

Context matters in all of the above, but that’s their general meaning.

Ravoth
Participant
‎2021-03-22 06:26 PM
In response to PhoneBoy
Jump to solution

Thank you @PhoneBoy!

Appreciating your explanation of the keyword, Have a great day! 

Ravoth
0 Kudos
Norbert_Bohusch
Advisor
‎2021-03-23 12:19 AM
In response to PhoneBoy
Jump to solution

Maybe I can explain Redirect a bit more in detail.

If you have a blade configured to Block/Prevent something (Anti-Virus, URL-Filtering, whatever) the gateway sends a redirect to the client to show the blockpage. If this redirect is not followed by the client, then the action in the log is redirect, telling you that he didn't saw the block.

The reason for this that the blocked/prevented connection is either a background connection (not done by a browser) or a part of the page like advertisements, etc. and because of that not followed by the browser.

Jeremy_Requena
Employee Alumnus
Employee Alumnus
‎2021-03-29 08:53 PM
In response to PhoneBoy
Jump to solution

Hey DWA, with Drop, I was under the assumption the gateway just swallows the packet without notifying the sender/source. 

With Block, the gateway drops the packet and sender/source is given a response.  

Is that correct?

PhoneBoy
Admin
Admin
‎2021-03-29 09:09 PM
In response to Jeremy_Requena
Jump to solution

Drop can only be done for unestablished connections, and yes, no response is set.
Block is similar to Reject, meaning a TCP Reset or ICMP Unreachable is sent. 
The primary difference: Reject is for unestablished connections, Block is for established ones.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events