Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

IPS Updates for Optimized Profile

Jump to solution

I have started to use the Optimized Profile for my IPS, however I have noticed protections that should be enabled according to the Check Point IPS Update email, yet its actually inactive.

Please see example.

Advantech WebAccess SCADA Stack-based Buffer Overflow
(CVE‑2019‑3975: CVE‑2019‑3951) should be set as activated but has not been.

Anyone know why this would be case and how I could fix this?

 

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Nickel

Re: IPS Updates for Optimized Profile

Jump to solution

Thought I would reply with the the reply from TAC incase anyone was interested:

This is indeed the thing I was planning to check on the Protections. Optimized profile does not automatically enable Protection under "Product Prevalence - Scarce", only Common, as to not impact Firewall productivity with a load.
"Strict" Profile is the one that has all protection enabled by default.
You can either switch to Strict profile or re-configure Optimized profile (by cloning it).

I also raised the question about why on the IPS News Emails sometimes the Protections are ticked or not next to the relevant Protection/Profile and this was the reason:

I reached people responsible for this email feed, and the 'tick' on the Profile does not mean the Protection is enabled by default - those configurations are to be done by user on SmarConsole. Note that "tick' is also on Basic Profile, which has less amount of Prevent by default.
As to what 'tick' means exactly, unfortunately I cannot say.

Hope this helps anyone else if they were interested.

 

View solution in original post

6 Replies
Highlighted

Re: IPS Updates for Optimized Profile

Jump to solution

New protections are not included right after they have been announced.

Try to check on Profile if IPS > Updates is set to Active or not for "Newly Updated protections"

 

0 Kudos
Highlighted
Nickel

Re: IPS Updates for Optimized Profile

Jump to solution

Thanks for the comment but that's not the case.

My setting is the same as yours:

Newly downloaded protections will be set to - Active - According to profile settings

From my screenshots, the other 2 IPS protections are set according to the policy but one of them isn't.

Looking at the 2 High ones, 1 is set and 1 isn't.  They are the same on Performance Impact, Severity and Confidence Level so they should both be set as Active but my policy decides to leave one as inactive and I can't see a reason why.

I have others as well but only raised this now to see if anyone else can see a reason as to why.

 

0 Kudos
Highlighted
Sapphire

Re: IPS Updates for Optimized Profile

Jump to solution

I would ask TAC for an explanation !

Highlighted
Employee
Employee

Re: IPS Updates for Optimized Profile

Jump to solution

Hey,

 

This protection is not a part of Optimized profile as it does not have "Product Prevalence: Common" tag.

optimized.PNG

 

 

 

 

 

Thanks

Shiran

Highlighted
Nickel

Re: IPS Updates for Optimized Profile

Jump to solution
Thanks for the suggestion.

I have a TAC call open now and have sent some screenshots for investigation.

However, this wouldn't make sense to me if it is the the case. The IPS News emails, state the Protection Name and whether it is enabled on the relevant R80 Profile (Optimized or Strict).

If it has a tick next to it on the email notification then it should be enabled on IPS for Check Point as this is a builtin profile that cannot be changed.

If its because of the Protection not having (Product Prevalence - Common) on the protection , then it shouldn't say enabled on the IPS emails.

I will see what TAC suggest on this.
0 Kudos
Highlighted
Nickel

Re: IPS Updates for Optimized Profile

Jump to solution

Thought I would reply with the the reply from TAC incase anyone was interested:

This is indeed the thing I was planning to check on the Protections. Optimized profile does not automatically enable Protection under "Product Prevalence - Scarce", only Common, as to not impact Firewall productivity with a load.
"Strict" Profile is the one that has all protection enabled by default.
You can either switch to Strict profile or re-configure Optimized profile (by cloning it).

I also raised the question about why on the IPS News Emails sometimes the Protections are ticked or not next to the relevant Protection/Profile and this was the reason:

I reached people responsible for this email feed, and the 'tick' on the Profile does not mean the Protection is enabled by default - those configurations are to be done by user on SmarConsole. Note that "tick' is also on Basic Profile, which has less amount of Prevent by default.
As to what 'tick' means exactly, unfortunately I cannot say.

Hope this helps anyone else if they were interested.

 

View solution in original post