Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Demith_Samaraw2
Contributor

Threat Prevention Policy Layers

Hi All

We have a situation where R80.10 Mgmt/GW we have created multiple Threat Prevention (TP) rules, each rule with different blade (Profile) enable, 

e.g.

Rule 1- IPS

Rule 2 - AV

Rule 3 - Threat Prevention

Isn't Check Point supposed to go through each and every rule and execute all blades?

What we see it just hits the first rule (IPS) blade and other rules has no hits, for example TP has no hits or files uploaded to CP cloud for analysis, same with AV

If I edit the first rule and configure it enable all the blades it works.

Is this normal behavior?

7 Replies
PhoneBoy
Admin
Admin

Yes it's expected behavior as we only look at subsequent layers if the previous layers did not block the traffic (applies to both Access Control and Threat Prevention).

The only reason you would separate threat prevention blades into different layers is for Pre-R80 gateways (and specifically only IPS).

0 Kudos
Demith_Samaraw2
Contributor

Hi Dameon

But this does not make sense, traffic is not blocked by the layers, all AV, IPS and TP are just doing login only so traffic should still go to the other layers below right

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi,

If you want to allocate different profiles for different blade usages, and have a different rule matched per blade but for the same traffic, then Threat Prevention Layers are the way to go.

Make a separated layer per blade. When traffic matches on multiple layers, they are combined so that the strictest matters. So in that case, the layer that has a rule with a particular blade activated will be matched when traffic relevant to that blade passes.

Let me know if you have more questions about this.

0 Kudos
Demith_Samaraw2
Contributor

Thanks Tomer and Dameon for the reply, but I am not still very clear on this, is there any document that describes how Threat prevention policy works with multiple layers, I do understand how it works with Access policy is it different from TP policy

See the below current policy, Protected scope is different for each rule but they have overlapping networks between them,

My understanding was as long as traffic is not blocked it should go trough all 3 layers and match all 3 profiles, but what we see is it only matches with first layer (in this case AV)

0 Kudos
PhoneBoy
Admin
Admin

Threat Prevention blades in general only generate logs if something is blocked or scanned.

Specific to your example.

  • IPS only generates logs if traffic triggers an active IPS signature. Otherwise, no log is generated.
  • Threat Emulation only generates a log entry if an actual file is emulated and/or Threat Extraction is performed.
  • Anti-Virus logs what it is able to scan (file/URL).

The fact you're only seeing AV logs, therefore, is most likely expected behavior.

Timothy_Hall
Champion
Champion

You have 3 rules all in the same TP layer in your screenshot.  If it matches the first one it will never reach rules 2 and 3.  To do what you want Rule 1 needs to be in its own TP layer, original Rule 2 should be Rule 1 in a second TP layer, original Rule 3 will now be Rule 1 in a third TP layer like this:

In that case all 3 layers (with 1 rule each) will be evaluated simultaneously and the most strict action taken, unless there is an exception present.  Only one rule can match inside the same TP layer.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Demith_Samaraw2
Contributor

Hi Tim

That is great, I just understood what was the issue, I have actually added 3 rules to the same layer thinking I have created 3 separate TE layers

Thanks for the explanation. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events