cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Does IPS has CVE-2019-1181,1182,1222,1226 protection ?

I have already updated ips in SmartConsole to find IPS protection ofCVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226 and I cannot find these protections and About TFlower Ransomware protection too.Can I have information about these?

Antivirus blade prose and cons.

Hi All,I want to enable Antivirus blade in R80.10. My firewall (5400) is in production environment. My firewall max connection is 79797. Already VPN, Application control, IPS and Antibot blade enabled. Just want to know what will be prose and cons if I enabled Antivirus blade. Please help me.

DNS Malware trap - DNS servers

Hello CheckMates,Can anyone explain to me what adding the internal DNS servers to the DNS trap configuration actually does?The only thing I can find in the documentation is 'to better help identify the origin of malicious requests', but it's not like we can see the client IP that the DNS request originates from.I've built a test setup in VM's to compare the difference of the logs with and without the DNS server defined, and I see no difference in the log cards. This is with both the client to DNS server and DNS server to public DNS requests going through the gateway.I hope someone knows more about this. 
Employee+

Exceptions on IPS Core Protections

I wanted to share with you a new SK about working with core protections and adding exceptions to them. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk162493&partition=Advanced&product=IPS%22 More than once I have seen issues with R80.x where exceptions "don't seem to apply". Remember that core protections are different animals from IPS Threat Cloud Protections, enforced on dedicated profiles and installed with access control policy.

Blocking parts of the internet / Performance considerations

HiI want to block some parts of the big bad internet. CP has this cute script that was built for dshield but uses "fw samp" to block connections using the quota functionality. Now quota sucks because it kills connection templates and I love having them.I am now thinking of rebuilding the dshield script for my purpose by using the accelerated drop functionality (sim dropcfg -f blog_very_very_bad_networks.cfg)Since drop templates are applied after connection templates or connection table lookups there could be some glitches (or I kill already established connections based on my list of very bad IP addresses).Is this the most elegant way of dropping traffic from a large list of networks or hosts (list.txt, cidr notation) or is there a better solution? Thanks.-Manuel 

Differences in how IPS functions in R80.10+ and R77.30

Hi All,  I will be upgrading a gateway from R77.30 to R80.30 and it is running IPS. I have already upgraded the management server. I understand the policy layers and how on pre-R80.10 gateways the IPS is separate to threat prevention but what I am struggling to find any consolidated details on is if there is a difference in how IPS functions on the gateway . I am trying to assess what the risk is  with IPS and service interruption when we upgrade .  Any references to know URLs detailing this or SKs would be helpful. Thanks
Employee

BlueKeep exploit is weaponized: Check Point customers remain protected.

The notorious BlueKeep vulnerability has been escalated from a theoretical, critical vulnerability, to an immediate, critical threat. While BlueKeep’s devastating potential was always known, it was a theoretical threat, as there was no working exploit code. That code was released into the wild when the open source Metasploit penetration testing framework released a Bluekeep exploit module on September 6. Unfortunately, the Metasploit toolset is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm. How serious is the threat? If a single unpatched Windows machine with network admin access is running on a network, the attacker may have access to all in-use credentials to all systems on the network, whether they are running Windows, Linux, MacOS or NetBIOS. In effect, this scenario means that a single, infected Windows machine can completely own a network. Check Point’s BlueKeep protections for network and endpoint, released several months ago, protect against the new weaponized version of this attack. Check Point customers who have implemented these protections remain protected. We recommend all customers to take immediate action to make sure they are protected: Install the Microsoft patch on all vulnerable Windows systems Enable Check Point’s IPS network protection for BlueKeep Implement Check Point’s endpoint protection for BlueKeep

R80.20 MTA update take_49

CPUSE is recommending I install the MTA update take_49 on R80.20 gateways, but there is no mention of take_49 in sk123174.Does anyone know what is in take_49? 
PhoneBoy
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 3 weeks ago
views 878 1 3
Admin

Mitre ATT&CK Framework and Check Point TechTalk

On 14th August 2019, we recorded a TechTalk with @Jony_Fischbein and @Irina_Shalem on how to take Cyber Security to the next level with the MITRE ATT&CK Framework. Presentation Materials, available to CheckMates members, include: Full Video Powerpoint Presentation An excerpt of the session is below. Q&A from the session will be posted in the comments. (view in My Videos)

Checkpoint IPS Bridge mode deployment with Juniper SRX

Hi,Any one can help us the Checkpoint IPS Bridge mode deployment best practice document...ThanksBala   

How to block Hashes of malware by IPS signature

Hi experts,Is there any way in checkpoint IPS (R80.20) to block Hashes of malware. Please share your experience.Sample of Hashes of malware 04fb0ccf3ef309b1cd587f609ab0e81e0b2e07205245697a749e422238f9f785272537bbd2a8e2a2c3938dc31f0d2461dd792f9185860e1464b4346254b2101bfcfab508663d9ce519b51f767e9028065b26f5c7c367d5e976aaba320965cc7f Regards,Rahul  
Dan_Roddy
Dan_Roddy inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 3 weeks ago
views 795 6 5

Threat Emulation Exceptions

I have noticed we are emulating far too many files for our 250,000 file limit.  Not long ago I decided we did not need to emulate Windows.update files AND secureupdate.checkpoint.com files.  I created exceptions for our Endpoint client but sadly they are still being emulated.  Has anyone else tried to reduce their emulation load and noticed this behavior?Many thanks for your support,Dan Roddy
Employee+

IPS utilization report - Smart View

Hey all, I believe that most of us that enabled IPS in our environment, asked one of the following questions: "if I will move to prevent, what will happen to my network" "Should I do it a step-by-step? how?" "is there any tool that i can use to eliminate any potential impact on my network" for those question we have created multiple documentations with formal procedures. Now, we have created a new Smart View report that allows you to understand your IPS utilization status and base on different step-by-step procedures, utilize the blade for maximum protection and minimum business impact. You can download the CPR file (for Smart-View) from the following link: https://gofile.io/?c=DBShEe If you want to influence, you are welcome to replay to this blog with any insight or change you believe we need to add/change. we will change the report based on your needs and will upload a new one until we will have a report that will be release as part of the next GA + Jumbo. Thanks, Oren            

Antivirus update

Hi, I observed that my gateway shows Antivirus signature Updates as 0, but in SMART it shows antivirus has been updated to latest on gateways. Why there is difference in data on both interfaces, screenshot attached herewith 

Maac OS users unable to access app store even if they are given any application access

Maac OS users unable to access app store even if they are given any application access