cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Management Update only - different IPS behavior

Hi all,

our firewall cluster is currently running on version 80.20. Recently we've updated our Management Server from Version 80.20 to 80.30 which should be a supported configuration.

As soon as we installed our policy for the first time from the updated Management Server we noticed some different behaviors on some IPS protections especially the FTP Bounce Protection.

Before the update we've set the FTP Bounce Protection to Prevent in our IPS profile, because we had a lot of logs for this protection from a single IP. Right after the first policy install we noticed that the same protection was now preventing far more connections / IPs than before.

Since the protection blocked some of our customer ftp uploads we had to move the protection back to detect mode. For the one IP with the massive logs we want to put a exception with action:prevent in place, but this is another story and another post.

Another thing messed up was the follow up and staging information in our IPS profile. Around 540 protections in my IPS profile had been set to "follow up" and were staged to "detect" due to the upgrade of the Management server. Now I have to revert this change manually on this protections.

I was wondering how a minor upgrade from 80.20 to 80.30 on the Management Server can cause this behavior and have a massiv impact on our operations. I anybody can shed some light on this issue ...

Kind regards

Oliver

 

 

0 Kudos
3 Replies
Highlighted

Re: Management Update only - different IPS behavior

You should contact TAC to get help with that issue !

0 Kudos
Highlighted

Re: Management Update only - different IPS behavior

This is really strange, but it appears the FTP Bounce signature changed from an IPS ThreatCloud protection in R80.20 to an "unofficial" Core Protection in R80.30, which is part of the Access Control Policy, thus invalidating any Threat Prevention exceptions for this protection.  See my other response in this thread:

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/IPS-Profile-amp-Exception-Priority-...

Had to go back and edit that response once I discovered this change.  Would really like to know why the FTP Bounce signature became an "unofficial" (for lack of a better word) Core Protection in R80.30, since these Core Protections are the source of a *lot* of confusion as covered in my IPS Immersion class.  It is almost like this FTP Bounce signature is now sitting in a secondary "no-mans land" between Inspection Settings & IPS ThreatCloud Protections.  Makes me wonder what other signatures have been changed similar to this one in R80.30.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Employee+
Employee+

Re: Management Update only - different IPS behavior

Hi Oliver,
We will be reaching out to you to get more details. We've looked thoroughly on the situation you described and have some insights which we will of course share here when we're done. Have you opened a support ticket with Check Point yet?
0 Kudos