cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.

Geo Blocking

Hi Folks,We are looking to implement Geo blocking and wondered if Checkpoint works with the US Treasury Office of Foreign Assets Control OFAC list of sanctioned IP addresses ?Any one know ?

Is there SNI support for inbound HTTPS inspection in R80.20?

Hi,on gws R80.20 can I do HTTPS inspection on inbound connections that require SNI since on the server there are some virtual hosts with different certificates? If yes how? Thanks in advance 

Antibot & Antivirus Updates Through Proxy

Hello,I have 2 VSX Gateways managed by SmartConsole... I want to enable Antibot,Antivirus, URL Filtering & IPS updates via Proxy... for the same i have configured Proxy Settings in Global Properties (SmartConsole) & also added Proxy server IP and Port in individual Gateways (set proxy address XXXX 8080). However, the problem is IPS and URL Filtering is getting updated fine via smartconsole but the Anitbot and Antivirus blades are not updating and throwing the error " Update failed, contract entitlement check failed, unable to reach cws.checkpoint.com" .. i have tested all the update urls thorugh both gateways and all of them return a postive "It Works" result... am i missing some configuration here ?  Thanks

Query regarding CLI command to check Threat Extraction

Hi, Checkmates,Need a help here.I need to know the CLI command to check if the threat extraction (TE) module is active, If yes then to check if TE is local or cloud.Thanks in Advance

Routing between 2 Virtual Systems

Hello,In my VSX environment on R80.10 CP 5900 , antibot,antivirys updates are going through internet gateway connected to VS0 , now i want to divert this traffic such that the GW updates through another internet gateway which is reachable through VS1.How can this be achieved ? Thanks.

IPS Protection filter

Hi, I want to understand what is dynamic and static IPS Protection. Also if we applied optimize profile then do basic profile still work? Thanks

IPS packet captures upload to remote servers

Is there any built-in feature, which would allow to upload IPS packet captures to remote servers and not just store them on gateways? Our SOC team is asking for storage space, where they could download those .cap/.eml files
Employee+

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please contact:omersh@checkpoint.com

Re: TE Redundancy (NGTX)

Hey, Of course, we can move it. Thanks

Anti-spam and email security blade always bypassing all emails

Non spam bypassedd (Temporary scan failure)From the logs Anti-spam and email security blade always bypassing all emailsIT seems Anti spam and email security blade is not working well.

IPS Attack direction

Hi everyone,On my checkpoint 80.30 I would like to know, for a generic IPS log, which field tell me the direction of attack, in order to get who is the attacker, the pc or the server. I think that is simple for the checkpoint by looking the direction of the attack signature . Please do not confuse the session TCP/IP direcion with the attack direction.thanks a lot.Emi

It's not working Blocked Senders / Domains on AntiSpam blade.

I added someuser@domain.com. but it's still receiving email from that users.

R80.20 IPS Signature For OWASP

Dear Experts,I am looking for an IPS signature for OWASP. Can you please help me to find the IPS signature for OWASP.Regards,Rahul Borah 
Employee

'Water Torture' attack , DDoS against DNS

I dont seem to be able to find a CVE for this attack, so my question is if Check Point IPS blade can prevent these attacks? Or would that be something one would need DDoS protector? Little more info on the attack below.   Title: DNS Label-Prepending and -Substitution ('Water Torture') DDoS Attack Mitigation Recommendations for Authoritative DNS ServersNovember 4, 2019 Description: Netscout Arbor have observed a significant recent increase in the prevalence of DNS label-prepending and label-substitution attacks (also known as DNS 'Water Torture Attacks', which make use of DNS queries for nonexistent, programmatically-generated DNS records to force authoritative DNS servers for targeted organizations to both service the illegitimate DNS queries as well as generate large numbers of NXDOMAIN negative responses. The goal of the attacker in these circumstances is to overwhelm the resources of the authoritative DNS servers, thus rendering online properties of the targeted organization such as Web servers, email servers, et. al. unreachable due to failed name resolution. This is an indirect form of application-layer DDoS attack against the critical ancillary DNS name-resolution service, rather than directly attacking the applications and services running on targeted networks; if the DNS names for online resources cannot be resolved, they are effectively rendered unavailable to legitimate users.
Jeff_Gao
Jeff_Gao inside IPS, Anti-Virus, Anti-Bot, Anti-Spam a week ago
views 1701 9 1

Anti-Virus log prompt: "background classification mode was set"

Dear FW:23500     Version:R80.10       Hotfix:R80_10_JUMBO_HF_Bundle_T56_sk11638I have set hold mode,refer to screenshots below:TP configuration as follow:But the log shows as follow:Description:                  Connection was allowed because background classification mode was set. See sk74120 for more information."loop.sawmilliner.com" is a C2 and malware site,as follow:I have set classification mode to hold,why still show "background classification mode was set"Thanks!