Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Network_M
Collaborator

Detect and Prevent difference

In SmartView, when CheckPoint shows Attacks (for example 2 critical attacks), If I click it (let's say it is found by Anti-Virus blade), it shows details and writes only "Action: Detect" and  "not prevented by policy".

Besides, in General Overview tab, it shows general information about detection and prevention (%).

How can I clearly understand them?

Does it mean that blades cannot prevent all type of attacks?

What is the difference between detect and prevent? Does "detect" refers to some kind of protection?

6 Replies
Daniel_Taney
Advisor

If attacks are being logged as "Detect" it is because the Threat Prevention policy has not been set to "Prevent" those particular signatures. Based on the "a1.jpg" screen shot, it looks like your policy is in detect mode. Detect mode will just log + alert you to an event happening, but the Gateway won't actually prevent anything from happening. This mode is good to give you an idea what is going on in your environment. 

However, if you want the Gateway to prevent things, those policies need to be changed over to "Prevent". In R80.10, you can do this by going to Security Policies -> Threat Prevention -> Policy and reviewing the settings. Check Point offers some "out of the box" templates like Strict, Optimized, and Basic to get you started. If you aren't totally familiar with Threat Prevention, one of these templates may be a good place to start. 

R80 CCSA / CCSE
Network_M
Collaborator

Is it dangerous for my network if it keeps going on in detect mode?

Or should I change it to prevent mode?

I'm not totally familiar with Threat Prevention and I don't know how to exactly turn on prevent mode.

I will check that templates, thanks.

0 Kudos
Tomer_Sole
Mentor
Mentor

Yes, Detect is basically a temporary mode until the administrator makes a verdict to completely block the attack or disable a false-positive inspection. Sometimes doing full prevent + adding exceptions for certain internal traffic with "disable" is also acceptable.

The log card has various "go-to" links that let you change the configuration from there. Make sure to install policy to apply the change. 

Compliance Blade will present a list of action items related to Threat Prevention. Some of them advise to switch from "detect-only" mode to "according to the policy".

Network_M
Collaborator

Which point I can start from?

0 Kudos
PhoneBoy
Admin
Admin

From one of the default policies as noted above.

For most customers, we recommend using the Optimized profile.

If you're new, you might want to review this TechTalk we did:

TechTalk: Advanced Threat Prevention Best Practices

Diego_Crispin
Explorer

t detects and validates if it is malicious, if it is not, let it pass and be for malicious it blocked?

does it detect and prevent any action you take with this subscription service?

it inhibits the service, scam tools will no longer be able to view active service?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events