cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

IPS Internal hosts only in R80.10

With R80.10 IPS, the "Internal hosts only" option in the gateway settings is no longer there.  I was told by an SE that Internal hosts only is now the default, and that to go back to protecting traffic in all directions with IPS requires some kind of workaround.  Is that true?  I had been thinking that in R80.10 all IPS traffic, inbound and outbound, was protected, and that to get to protect only internal hosts would require a rule in the Threat Prevention IPS policy.  Can anyone give me some insight how this really works?

5 Replies
Vladimir
Pearl

Re: IPS Internal hosts only in R80.10

You define "Protected Scopes" in a Threat Prevention policy.

If the scope is "*", this will protect traffic with IPS in either direction.

AV and threat emulation do have a "Zone" and direction definitions that you can manipulate by editing profile.

0 Kudos

Re: IPS Internal hosts only in R80.10

Not exactly, if you have an R80.10 gateway IPS can be managed in the same TP profile and policy layer as the other four Threat Prevention blades. As such you can use columns such as Protected Scope and Source/Destination/Service (if you unhide these three) to very precisely specify exactly where you want IPS protections applied. So in short with R80.10 management and an R80.10 gateway, it is no longer just "Protect internal hosts" or "Perform IPS inspection of all traffic", but whatever you want it to be via columns in the Threat Prevention policy layer(s). You can also take the opposite approach and define an explicit rule specifying IPS with a "null" TP profile (as I call it in my book) that excludes certain traffic from IPS inspection at all, thus potentially making that traffic eligible to be fully accelerated by SecureXL and not go PXL, and then inspect all other traffic with IPS in a later TP rule.

If you have an R77.30 gateway under R80.10 management, you still must use one of the two original settings for internal traffic only or all traffic, and must manage IPS for all R77.30 gateways only in a separate Threat Prevention layer that will be automatically created for you called IPS.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Highlighted
Vladimir
Pearl

Re: IPS Internal hosts only in R80.10

Hmm..:

"If the scope is "*", this will protect traffic with IPS in either direction:"

The Source and Destination defaults to "Any" if exposed, so I do not see the contradiction or inaccuracy in the above statement.

This one:

"AV and threat emulation do have a "Zone" and direction definitions that you can manipulate by editing profile."

Referring to:

I am uncertain as to which Scope and Directions setting will take precedence for AV and TE, the one in the TP policy or the one in the properties of the Profile.

0 Kudos

Re: IPS Internal hosts only in R80.10

I'm pretty sure the Protected Scope column in the TP policy must be matched first to even reach the profile specified under Action for that particular rule.  So essentially the Protected Scope for AV/TE in the profile itself is a way to further "dial in" or refine how AV/TE is applied once the TP rule has been matched.  Generally one should be careful setting the profile-based Protected Scope options to anything other than "all", since it is possible that someone looking at just the rule columns will conclude there is full coverage by AV/TE for a particular protected scope, when in fact there isn't based on the profile settings.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Vladimir
Pearl

Re: IPS Internal hosts only in R80.10

Wouldn't it then be better for Check Point to specify the default profile settings as "Inspect Incoming Files from ALL interfaces" or inspect incoming and outgoing files and defer final decision to TP policy rules and scopes?

Alternatively, to at least popup the notification of the conflict in TP policy, if the defined scope, source or destination conflict with the profile settings?

This last one may be in place, but I do not recall ever seeing such prompts.

0 Kudos