cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Jump to solution

Dear Team,

OS: R80.20

We enable the Threat Prevention Blade.

Profile: Optimized (Clone)

Activation Mode: Detect (Note: Only for POC later we make as Prevent)

101.png

See some prevent logs even we set as Detect

103.png

Add Exception for "any any" with the profile (Optimized Clone) and also added port "445" but not worked.

104.png

107.png

Then we Open the Prevent Logs and click "Go to Profile".

105.png

It's showing the Profile  "Optimized" even I set as  "Optimized (Clone)".

106.png

So I Finally "Inactive" that Signature for Optimized and Optimized Clone Profile.

1000.png

NOTE: Initially I set "inactive" for the Optimized (clone) then I set as "Inactive" for "Optimized " profile as well.

Now it's working fine.

1001.png

All are up to date.

100.png

Question: So is this the known behavior?

Because we create a new profile (Optimized Clone) but still some signature block by (Optimized).

 

Regards

@Chinmaya_Naik 

0 Kudos
1 Solution

Accepted Solutions

Re: Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Jump to solution

Actually due to "Microsoft Windows NT Null CIFS Sessions" being an IPS "Core" Protection (instead of a IPS ThreatCloud Protection), believe it or not this is expected behavior.  As detailed in my IPS Immersion class, the 39 IPS Core Protections (which have a special "shield with firewall" icon) are in a bit of a no-man's land between ThreatCloud IPS Protections and Inspection Settings in R80.10+.

Note that when looking at the list of IPS Protections, a Threat Prevention (TP) profile action is not shown for this particular Core Protection, and it just says "See Details.." instead:

ips1.jpg

This is the first indication that the profile dictating how this Core Protection will be applied is not controlled directly in the TP profile being invoked in a TP rule.  Even if a TP rule is added calling for all traffic to match against the "Optimized (Clone)" profile as in your example, a visit to the Gateways screen of the "Microsoft Windows NT Null CIFS Sessions" protection shows that the TP profile assignment occurs for all Core Protections per individual gateway on this screen, not via the TP policy:

ips2.jpg

So this Gateways screen is shared among the 39 Core Protections, and is how the Core Protections are assigned via profile to a gateway.  This assignment does not happen via the TP policy like it does for IPS ThreatCloud Protections.  IPS Core Protections are definitely a bit odd in how you handle them, hence the use of the term "no-man's land" above.  🙂

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
5 Replies
Admin
Admin

Re: Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Jump to solution
This particular protection is a Core Protection.
That means any changes involving it requires pushing the Access Policy, not just the Threat Prevention policy.
Was that done in this case?
0 Kudos

Re: Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Jump to solution

Hi @PhoneBoy 

Thanks for the information.

But we installed both Access Control and Threat Prevention Policy.

@Chinmaya_Naik

0 Kudos
Admin
Admin

Re: Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Jump to solution
Ok, might be worth a TAC case as changing the "original" profile doesn't seem like the best workaround.
0 Kudos

Re: Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Jump to solution

Actually due to "Microsoft Windows NT Null CIFS Sessions" being an IPS "Core" Protection (instead of a IPS ThreatCloud Protection), believe it or not this is expected behavior.  As detailed in my IPS Immersion class, the 39 IPS Core Protections (which have a special "shield with firewall" icon) are in a bit of a no-man's land between ThreatCloud IPS Protections and Inspection Settings in R80.10+.

Note that when looking at the list of IPS Protections, a Threat Prevention (TP) profile action is not shown for this particular Core Protection, and it just says "See Details.." instead:

ips1.jpg

This is the first indication that the profile dictating how this Core Protection will be applied is not controlled directly in the TP profile being invoked in a TP rule.  Even if a TP rule is added calling for all traffic to match against the "Optimized (Clone)" profile as in your example, a visit to the Gateways screen of the "Microsoft Windows NT Null CIFS Sessions" protection shows that the TP profile assignment occurs for all Core Protections per individual gateway on this screen, not via the TP policy:

ips2.jpg

So this Gateways screen is shared among the 39 Core Protections, and is how the Core Protections are assigned via profile to a gateway.  This assignment does not happen via the TP policy like it does for IPS ThreatCloud Protections.  IPS Core Protections are definitely a bit odd in how you handle them, hence the use of the term "no-man's land" above.  🙂

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Highlighted

Re: Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Jump to solution

HI @Timothy_Hall  Thanks for the information

 

@Chinmaya_Naik 

0 Kudos