cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

No prevent option in IPS signature

hi,

We have only Detect option available for “Host Port Scan” category so we can’t prevent this from our IPS rules. We cannot block the source that ip is being used as nat ip (public ip from another branch) for many users .

If we don't have option to prevent can we have a TCP session limit for the source IP from the user pool ? If it can be done, what the procedure?

Regards,

Sagar Manandhar

.

0 Kudos
4 Replies
Vladimir
Pearl

Re: On detect option in IPS signature

Sagar,

If the source of scans is NATed by the Check Point gateway itself, you should still be able to to identify it by the actual IP and treat its traffic in IPS whichever way you want.

If it is being NATed by other device before hitting the Check Point, the best course of action will be to exempt CP GW from it's scanner's configuration.

Incidentally, do you have a stealth rule configured in your policy?

What, if any effect does it have on this traffic.

Cheers,

Vladimir

0 Kudos

Re: No prevent option in IPS signature

No, it not the checkpoint IP. We have been using different public ip in different branches. it comming from there.

0 Kudos
Vladimir
Pearl

Re: No prevent option in IPS signature

Then either configure the scanner exemptions or their scopes.

Alternatively, at the branch in question you can play with ACLs to only allow necessary traffic to predetermined scopes from the original source IP, but it may prove labor intensive.

Employee+
Employee+

Re: No prevent option in IPS signature

If you configure User Defined Alerts, you can timeout connections that meet the criteria for the Host Port Scan IPS signature:

SK110873 - How to configure Security Gateway to detect and prevent port scan