cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Differences in how IPS functions in R80.10+ and R77.30

Hi All, 

 

I will be upgrading a gateway from R77.30 to R80.30 and it is running IPS. I have already upgraded the management server. I understand the policy layers and how on pre-R80.10 gateways the IPS is separate to threat prevention but what I am struggling to find any consolidated details on is if there is a difference in how IPS functions on the gateway .

 

I am trying to assess what the risk is  with IPS and service interruption when we upgrade . 

 

Any references to know URLs detailing this or SKs would be helpful. 

Thanks

0 Kudos
3 Replies

Re: Differences in how IPS functions in R80.10+ and R77.30

Obviously there are differences between R77.xx and R80.xx IPS, and List of IPS Protections removed in R80.x will help. But mostly, issue are revealed by the Pre-Upgrade Verification Service and fresh configuration is covered in Threat Prevention Administration Guide R80.30. The ATRG: IPS covers versions R77.10, R77.20, R77.30, R80.10, R80.20 and R80.30.

0 Kudos

Re: Differences in how IPS functions in R80.10+ and R77.30

The short answer is that on an R80.10+ gateway, IPS has been rolled up into the rest of the other Threat Prevention blades as far as policy management and installation.  Protections that were part of the IPS blade in R77.30 and earlier were also split up into multiple areas such as Inspection Settings, the APCL blade, and various Threat Prevention blades like Anti-Bot as detailed in sk103766: List of IPS Protections removed in R80.x.  If desired you can continue to manage the IPS functions of an R80.10+ gateway in the special IPS layer for older gateways, but it is strongly recommended to move your IPS configuration into your main Threat Prevention policy for added flexibility.  The long answer is that my IPS Immersion course covers the differences in IPS for R77.30 vs. R80.10 in detail, as the changes to IPS in R80.10 were pretty major and have led to some confusion.

Here are some CheckMates articles that may help:

https://community.checkpoint.com/t5/Policy-Management/Move-IPS-profile-rules-to-Threat-Prevention-la...

https://community.checkpoint.com/t5/Policy-Management/Layered-policies-and-pre-R80-gateways/m-p/1701...

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Difference-IPS-and-ThreatPrevention...

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Differences in how IPS functions in R80.10+ and R77.30

Most risk comes from the management migration from R77.30 to R80.x, if that went well then you are up to go.

I've through many migrations of this kind and never come up with any IPS issues, if unsure you may set up a detect only profile and then switch to prevent in another maintenance window.

I strongly advice Tim's advice and unify the policy as soon as you are comfortable with the new version.

Please read on how the "Protected scope" column works on the Threat Prevention policies, if left untouched you will be applying IPS to both incoming and outgoing traffic.

Regards,

Federico Meiners

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos