cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Network_M
Copper

Detect and Prevent difference

In SmartView, when CheckPoint shows Attacks (for example 2 critical attacks), If I click it (let's say it is found by Anti-Virus blade), it shows details and writes only "Action: Detect" and  "not prevented by policy".

Besides, in General Overview tab, it shows general information about detection and prevention (%).

How can I clearly understand them?

Does it mean that blades cannot prevent all type of attacks?

What is the difference between detect and prevent? Does "detect" refers to some kind of protection?

Tags (1)
5 Replies

Re: Detect and Prevent difference

If attacks are being logged as "Detect" it is because the Threat Prevention policy has not been set to "Prevent" those particular signatures. Based on the "a1.jpg" screen shot, it looks like your policy is in detect mode. Detect mode will just log + alert you to an event happening, but the Gateway won't actually prevent anything from happening. This mode is good to give you an idea what is going on in your environment. 

However, if you want the Gateway to prevent things, those policies need to be changed over to "Prevent". In R80.10, you can do this by going to Security Policies -> Threat Prevention -> Policy and reviewing the settings. Check Point offers some "out of the box" templates like Strict, Optimized, and Basic to get you started. If you aren't totally familiar with Threat Prevention, one of these templates may be a good place to start. 

Network_M
Copper

Re: Detect and Prevent difference

Is it dangerous for my network if it keeps going on in detect mode?

Or should I change it to prevent mode?

I'm not totally familiar with Threat Prevention and I don't know how to exactly turn on prevent mode.

I will check that templates, thanks.

0 Kudos

Re: Detect and Prevent difference

Yes, Detect is basically a temporary mode until the administrator makes a verdict to completely block the attack or disable a false-positive inspection. Sometimes doing full prevent + adding exceptions for certain internal traffic with "disable" is also acceptable.

The log card has various "go-to" links that let you change the configuration from there. Make sure to install policy to apply the change. 

Compliance Blade will present a list of action items related to Threat Prevention. Some of them advise to switch from "detect-only" mode to "according to the policy".

Network_M
Copper

Re: Detect and Prevent difference

Which point I can start from?

0 Kudos
Highlighted
Admin
Admin

Re: Detect and Prevent difference

From one of the default policies as noted above.

For most customers, we recommend using the Optimized profile.

If you're new, you might want to review this TechTalk we did:

TechTalk: Advanced Threat Prevention Best Practices