This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_Matt
Contributor
‎2019-10-29 03:56 AM
Jump to solution

IPS Profile & Exception - Priority - Exception not working

Hi all,

I've created a IPS profile according to our needs and almost everything is working well, except of one thing:

In my IPS profile I've set the IPS protection FTP Bounce to Action: Detect

protection_setting.png

This works fine and a lot of logging information is generated. Most of the detected attacks are generated by a single external IP which is is unknown to us and fills up our logs.

ips-logging.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Therefore I've created an exception for this single IP where I want to have "prevent" as an action for this protection.

ips_exception.png

I've tried several ways to create the exception (Protected scope vs Src/Dst) but for this IP the FTP Bounce protection stays in detect mode and the same logs as shown above are generated.

Do I miss something in general? Are there some priority levels which keeps the FTP Bounce Protection to be in Prevent mode for this single IP?

Our firewall cluster is on V80.20 while our Mgmt Server is on V80.30

Kind regards

Oliver

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-29 05:53 PM
Jump to solution

 

This is why in R80.30:

 

ftp_bounce.jpg

The FTP Bounce protection became a "Core" Protection in R80.30 and no longer part of the IPS blade (even though the log card says it is) so your Threat Prevention exception will have no effect, since FTP Bounce is part of the Access Control Policy.  Strangely this signature says it is a Core Protection in R80.30 but it doesn't have the "shield w/ firewall" icon like a typical Core Protection (example: FTP Commands).  This is really strange and I don't know what to make of it, but is probably due to the very old age of this protection (2002) dating back into the SmartDefense days which were not a fun time. 

Because it is a Core Protection in R80.30 the only exceptions that can be added will completely inactivate the protection, you are not allowed to set Prevent (or Detect) in an exception like you can with an IPS ThreatCloud Protection.  So as mentioned earlier your only play here is to set Inactive; this is due to the "no-mans land" that Core Protections sit in between Inspection Settings and IPS ThreatCloud Protections as described in my IPS Immersion class.

You can see a prior issue like this here: https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/FTP-Bounce-prevent-instead-of-inact...

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

7 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-10-29 04:12 AM
Jump to solution

I do not have any idea why your exception is not working, but honestly, any IPS protection set to Detect will cost resources without adding any security ! I would suggest to switch it to prevent after the IPS deployment testing phase is over.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Oliver_Matt
Contributor
‎2019-10-29 04:27 AM
In response to G_W_Albrecht
Jump to solution

Many thx for the notice on the resources of the gateway, but unfortunately I cannot set the protection to prevent as this would cause some ftp connections from our customers to be dropped.

Kind regards
Oliver

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-10-29 04:52 AM
In response to Oliver_Matt
Jump to solution

So why not switch it off completely ? Remember, this is an EServ 2.97 vulnerability from 2002 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Oliver_Matt
Contributor
‎2019-10-29 05:02 AM
In response to G_W_Albrecht
Jump to solution

Probabely this will be the final solution, but still doesn't explain why the exception is not working.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-29 05:53 PM
Jump to solution

 

This is why in R80.30:

 

ftp_bounce.jpg

The FTP Bounce protection became a "Core" Protection in R80.30 and no longer part of the IPS blade (even though the log card says it is) so your Threat Prevention exception will have no effect, since FTP Bounce is part of the Access Control Policy.  Strangely this signature says it is a Core Protection in R80.30 but it doesn't have the "shield w/ firewall" icon like a typical Core Protection (example: FTP Commands).  This is really strange and I don't know what to make of it, but is probably due to the very old age of this protection (2002) dating back into the SmartDefense days which were not a fun time. 

Because it is a Core Protection in R80.30 the only exceptions that can be added will completely inactivate the protection, you are not allowed to set Prevent (or Detect) in an exception like you can with an IPS ThreatCloud Protection.  So as mentioned earlier your only play here is to set Inactive; this is due to the "no-mans land" that Core Protections sit in between Inspection Settings and IPS ThreatCloud Protections as described in my IPS Immersion class.

You can see a prior issue like this here: https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/FTP-Bounce-prevent-instead-of-inact...

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Oliver_Matt
Contributor
‎2019-10-30 12:16 AM
In response to Timothy_Hall
Jump to solution

Hello Timothy,

many thx for clarification. IPS have been easier in V77.30 without the split in the different "classes".

Kind regards

Oliver

0 Kudos
Jesse
Contributor
‎2021-10-07 12:19 PM
In response to Timothy_Hall
Jump to solution

Thanks for this, I would have never noticed that banner at the top about it being a core protection.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events