Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

IPS Profile & Exception - Priority - Exception not working

Jump to solution

Hi all,

I've created a IPS profile according to our needs and almost everything is working well, except of one thing:

In my IPS profile I've set the IPS protection FTP Bounce to Action: Detect

protection_setting.png

This works fine and a lot of logging information is generated. Most of the detected attacks are generated by a single external IP which is is unknown to us and fills up our logs.

ips-logging.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Therefore I've created an exception for this single IP where I want to have "prevent" as an action for this protection.

ips_exception.png

I've tried several ways to create the exception (Protected scope vs Src/Dst) but for this IP the FTP Bounce protection stays in detect mode and the same logs as shown above are generated.

Do I miss something in general? Are there some priority levels which keeps the FTP Bounce Protection to be in Prevent mode for this single IP?

Our firewall cluster is on V80.20 while our Mgmt Server is on V80.30

Kind regards

Oliver

0 Kudos
1 Solution

Accepted Solutions
Highlighted

 

This is why in R80.30:

 

ftp_bounce.jpg

The FTP Bounce protection became a "Core" Protection in R80.30 and no longer part of the IPS blade (even though the log card says it is) so your Threat Prevention exception will have no effect, since FTP Bounce is part of the Access Control Policy.  Strangely this signature says it is a Core Protection in R80.30 but it doesn't have the "shield w/ firewall" icon like a typical Core Protection (example: FTP Commands).  This is really strange and I don't know what to make of it, but is probably due to the very old age of this protection (2002) dating back into the SmartDefense days which were not a fun time. 

Because it is a Core Protection in R80.30 the only exceptions that can be added will completely inactivate the protection, you are not allowed to set Prevent (or Detect) in an exception like you can with an IPS ThreatCloud Protection.  So as mentioned earlier your only play here is to set Inactive; this is due to the "no-mans land" that Core Protections sit in between Inspection Settings and IPS ThreatCloud Protections as described in my IPS Immersion class.

You can see a prior issue like this here: https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/FTP-Bounce-prevent-instead-of-inact...

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
6 Replies
Highlighted
Sapphire

I do not have any idea why your exception is not working, but honestly, any IPS protection set to Detect will cost resources without adding any security ! I would suggest to switch it to prevent after the IPS deployment testing phase is over.

0 Kudos
Highlighted

Many thx for the notice on the resources of the gateway, but unfortunately I cannot set the protection to prevent as this would cause some ftp connections from our customers to be dropped.

Kind regards
Oliver

0 Kudos
Highlighted
Sapphire

So why not switch it off completely ? Remember, this is an EServ 2.97 vulnerability from 2002 !

0 Kudos
Highlighted

Probabely this will be the final solution, but still doesn't explain why the exception is not working.

0 Kudos
Highlighted

 

This is why in R80.30:

 

ftp_bounce.jpg

The FTP Bounce protection became a "Core" Protection in R80.30 and no longer part of the IPS blade (even though the log card says it is) so your Threat Prevention exception will have no effect, since FTP Bounce is part of the Access Control Policy.  Strangely this signature says it is a Core Protection in R80.30 but it doesn't have the "shield w/ firewall" icon like a typical Core Protection (example: FTP Commands).  This is really strange and I don't know what to make of it, but is probably due to the very old age of this protection (2002) dating back into the SmartDefense days which were not a fun time. 

Because it is a Core Protection in R80.30 the only exceptions that can be added will completely inactivate the protection, you are not allowed to set Prevent (or Detect) in an exception like you can with an IPS ThreatCloud Protection.  So as mentioned earlier your only play here is to set Inactive; this is due to the "no-mans land" that Core Protections sit in between Inspection Settings and IPS ThreatCloud Protections as described in my IPS Immersion class.

You can see a prior issue like this here: https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/FTP-Bounce-prevent-instead-of-inact...

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Highlighted

Hello Timothy,

many thx for clarification. IPS have been easier in V77.30 without the split in the different "classes".

Kind regards

Oliver

0 Kudos