Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Admin
Admin

Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

On 8th January 2020, @Oren_Koren gave us a preview of a SmartConsole Extension that will be launched at CPX 360 2020, making it simple to move from Detect to Prevent with Check Point!

The following is available to CheckMates members who are logged in:

  • Slides (will be provided after CPX 360 2020)
  • Video

Q&A will be posted as comments.

The SmartConsole Extension mentioned: https://secureupdates.checkpoint.com/appi/tailoredsafe/extension.json

47 Replies
Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Excellent presentation! This will be very useful for me.

I just ran the extension and receive these errors. I approved every pop-up. 

Manager - R80.30

cp_tailored-safe-errors.PNG

Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey

if u can send me a direct email, I will take care of it

orenkor@checkpoint.com

Highlighted
Admin
Admin

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

It looks like a "cosmetic" error more than a real error.
Best to email Oren as he suggested so we can investigate.
Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

It's not creating the new profile either. i'll wait on Oren to get back to me. 

thank you.

Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey
We are reviewing it and A short remote session will assist us to finish up the review and fix what is needed

I have seen your email, will respond soon and if it’s a possibility from your side, can we have a short session?
0 Kudos
Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Yes, i will send you email w/ my available times. Again, thank you.

Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

did you solve the issue?

got the same issues (all errors, no tailored safe profile being created).

but it was just a first test in my lab.

Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey,

we have worked on all of the issues that has been sent by you and the others. a new version was release with bug fixes two days ago (same link so no change is needed). can you check again and tell me if it is still doesnt work for you?

Thanks,

Oren

0 Kudos
Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Worked like a champ. Thanks guys!
0 Kudos
Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

its all on @asafga  head 🙂

Asaf - do you want to update on the fixes has been added to the last TS version based on the community inputs?

Highlighted
Employee
Employee

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey all,

I wanted to update on our new improvement to TailoredSafe.

  • We have reduced the pop-ups in the flow of the extension.
  • Improved error handling – we will be able to handle errors much efficiently.
  • Fixed a bug with the non-hit protections – based on inputs from the community, we have located few use-cases that we didn’t have in our lab and fixed them accordingly.
  • Multiple code improvements.

 

I would like to add that CheckMates assists a lot with checking and giving us lots of feedback – please keep the feedback coming!

Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Great presentation. I am looking forward to seeing more about it at CPX2020. I did install the extension on my SmartConsole and went through the wizard and it worked. I was a little surprised to see that I had 0 items that were in detect with no hits. I am running the Optimized profile (which I cloned so I could start customizing it for our environment) and I was expecting to have a lot of No Hits based on the presentation. If there is anything else I can provide on this, let me know.

Charles

 

Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Same here with one of my customers on the Recommended_Profile. 0 protections with no hits, 0 protections with hits, 0 Application Discovery.

Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey Andreas,
Can you send me a short email with your details? We will want to review it with you

Thanks,
Oren
0 Kudos
Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey Charles
Thanks for the feedback
If you can please send me a short email so we can coordinate a short session, that will be great!
0 Kudos
Highlighted
Ivory

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

I added the extension, ran the analysis and received this error;

 

 
 

 

0 Kudos
Highlighted
Gold

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Cdurham,

I got the same screen. Went for a cup of coffee from my desk and after 10min I saw 4500 changes in the session pane (in top of the Dashboard).
I could see this number increasing for the last 1000. Because there was no button to click ok or anything else, I closed the window and was able to publish and install policy. There was no chance to review the changes.

Wolfgang
0 Kudos
Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey Wolfgang,
By review the changes you mean that you want to verify what are the changes before the push policy, correct?

If we were able to show you the changes in any place and way in the console, what would be the best scenario/solution for you?
0 Kudos
Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey chduram,
Can you please check if a new profile was created?(so I will differentiate between the presenting side and the configuration side)

Thanks
Oren
0 Kudos
Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

We are working very fast on reviewing all of your inputs

I will ask you to run the extension and if there is any challenge, send me an email - we want to know

please check if a profile was created in your threat prevention policy - in some cases, as Phoneboy said - it’s a bit of cosmetic thing and time manner (waiting time of few minutes for the changes to be created)

Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey all

in the past few days we have had multiple sessions with community members that includes debugging and understanding the reasons of fail in the extension

 

for the ones who didn’t had a session OR doesn’t have a session with R&D in the schedule to review the challenge and solve it (+learn what is the improvement we need to deploy) - please drop me an email and we will schedule a session to solve it WITH you.

as I said to all of the customers we have had a session with - the power of the community with reviewing our innovative products and the great inputs are priceless

let’s keep working together to make the best products based on your real needs!

 

Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Finally had the time to go through the video, nice tool!

From an optimization perspective this tool can be very helpful as well, since an action of Detect instead of Prevent or Inactive causes higher overhead on the firewall; this concept was hit hard in the latest version of my book.  Particularly bad is an action of Detect but no logging, which is just consuming firewall resources for no valid reason.  Good to see there is an automated tool to streamline getting out of Detect mode, my book goes through doing it manually.  Will definitely add this tool to the upcoming addendum!

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Thanks!

if you will add it to your book as a way to utilize Threat Prevention, that will be great 🙂

any input on the process is welcomed - we want to make our customers life simple and with no business impact

0 Kudos
Highlighted

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Where can I download the extension from to have a go in a lab with it?

Cheers

Mark

Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Highlighted
Ivory

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

But is it recommended to activate as much  protections as possible? For example I activate all protections for McAffe, but we don't use any McAffe solutions in our organization. Doas it make sense? Or did I just create Performance impact for my gateway?

0 Kudos
Highlighted
Employee+
Employee+

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hey,

as a basic rule, from our experience, some one in your organization can /will install something new tomorrow.

the challenge of managing the applications that are in use in your organization (+vulnerable versions) is a hard challenge.

to make it simple, we recommend to enable all the protections (beside exceptions if needed OR if you have performance issues due miss-sizing as an example)

 just for example, lets say you do not have SQL today, but tomorrow someone from the DEV team will install a local instance with a known vulnerability:

sql will not be seen in d_port 1433 so you will not have any inspection == no performance usage

in the second the user will install the app and an attack will accure, only then you will have an inspection.

 

in some unique cases, i have seen customers that enable ONLY the tags for the applications they have, in those cases, they had a dedicated person that this was his job - its all about man-power...... (IMHO)

 

0 Kudos
Highlighted
Employee
Employee

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Hi Oren

Great video, just a followup  I think I am missing something.

I was under the impression that if you don't need a protection to not enable it,  that if you enable it will launch the content inspection to, steam,parse,cmi protections,  looking for traffic that might match this protection.

example:  when ssl poodle vulnerability come out,  We added protection for it., because the servers were vulnerable,    but once the servers are patched ,  OS was patched,  then there was no more need to keep the protection enable any more,  

I think maybe my confusion might be related to performance, maybe I have been here to long and the engine has change

but I remember having a customer with worm catcher protection enable,  and this was spiking up all the cpu high,  because ALL http traffic was being inspected for a worm,   when customer patch his window servers,  against code red/nimba vulnerabilities,  then we disable worm catch and his cpu went down.

thanks,

Manuel  

 

0 Kudos
Highlighted
Admin
Admin

Re: Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

Mentions of Code Red/NIMDA put you back in the days of SmartDefense (pre-R70).
It's fair to say things are quite different now than they were back then. 😁