Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Exclude Vulnerability Scanners from IPS Inspection

We are having multiple Vulnerability Scanners like Nessus and Tenable  in our Data Center which is performing continuous scans on our servers in DMZ, these scanners are placed in the Inside Zone and the traffic from these scanners pass through the Checkpoint.

Could anyone suggest the methods we have at present in Checkpoint to bypass these traffic from IPS Inspection as this will help to reduce the load on the firewall to a good extend.

  

0 Kudos
Reply
6 Replies
Champion
Champion

Yes, create what I call a "null" threat prevention profile with all five TP blades including IPS unchecked.  Create a rule at the top of your Threat Prevention policy layer specifying the scanning boxes in the Protected Scope, and apply the null profile in the Action of that rule.  Doing it this way instead of using a TP exception will make the traffic potentially eligible for full acceleration by SecureXL and substantially reduce load on the gateway.  If you have more than one Threat Prevention policy layer (not likely), the null profile rule will need to be at the top of all TP layers.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Contributor

I have similar issues and TAC walk me through the TP exception in the profile. However, several actions still got logged such as FTP bounce; definitely giving the null profile a try. thanks!

0 Kudos
Reply
Contributor

Thank you @Timothy_Hall  for this new method.

I never thought doing this would make the traffic eligible for acceleration by SecureXL, will surely try this out.

Also is there any SK or article you would recommend regarding how SecureXL works through IPS, especially when it passes through the TP Policy and TP Exception, it would be really helpful.

Thanks in advance.

0 Kudos
Reply
Admin
Admin

Add an exception to TP policy, that should do the trick

Contributor

Thank you everyone for your quick response.

@Jim_Valko , yes at present we have Exception Rule in place for Scanner IP's but it is configured for DETECT Mode, is this something you would consider a right approach or should I change it to INACTIVE.

Thanks in advance.

 

0 Kudos
Reply
Admin
Admin

Detect means it's still processing the traffic, just not dropping on it.
This means the performance impact could actually be worse than simply dropping the traffic.
Inactive is the more performant choice.