Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.

inside IPS, Anti-Virus, Anti-Bot, Anti-Spam an hour ago
views 9729 14 23

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please

IPS Protection filter

Hi, I want to understand what is dynamic and static IPS Protection. Also if we applied optimize profile then do basic profile still work? Thanks

Re: TE Redundancy (NGTX)

Hey, Of course, we can move it. Thanks

Anti-spam and email security blade always bypassing all emails

Non spam bypassedd (Temporary scan failure)From the logs Anti-spam and email security blade always bypassing all emailsIT seems Anti spam and email security blade is not working well.

IPS Attack direction

Hi everyone,On my checkpoint 80.30 I would like to know, for a generic IPS log, which field tell me the direction of attack, in order to get who is the attacker, the pc or the server. I think that is simple for the checkpoint by looking the direction of the attack signature . Please do not confuse the session TCP/IP direcion with the attack direction.thanks a lot.Emi

It's not working Blocked Senders / Domains on AntiSpam blade.

I added but it's still receiving email from that users.

R80.20 IPS Signature For OWASP

Dear Experts,I am looking for an IPS signature for OWASP. Can you please help me to find the IPS signature for OWASP.Regards,Rahul Borah 

'Water Torture' attack , DDoS against DNS

I dont seem to be able to find a CVE for this attack, so my question is if Check Point IPS blade can prevent these attacks? Or would that be something one would need DDoS protector? Little more info on the attack below.   Title: DNS Label-Prepending and -Substitution ('Water Torture') DDoS Attack Mitigation Recommendations for Authoritative DNS ServersNovember 4, 2019 Description: Netscout Arbor have observed a significant recent increase in the prevalence of DNS label-prepending and label-substitution attacks (also known as DNS 'Water Torture Attacks', which make use of DNS queries for nonexistent, programmatically-generated DNS records to force authoritative DNS servers for targeted organizations to both service the illegitimate DNS queries as well as generate large numbers of NXDOMAIN negative responses. The goal of the attacker in these circumstances is to overwhelm the resources of the authoritative DNS servers, thus rendering online properties of the targeted organization such as Web servers, email servers, et. al. unreachable due to failed name resolution. This is an indirect form of application-layer DDoS attack against the critical ancillary DNS name-resolution service, rather than directly attacking the applications and services running on targeted networks; if the DNS names for online resources cannot be resolved, they are effectively rendered unavailable to legitimate users.
Jeff_Gao inside IPS, Anti-Virus, Anti-Bot, Anti-Spam a week ago
views 1679 9 1

Anti-Virus log prompt: "background classification mode was set"

Dear FW:23500     Version:R80.10       Hotfix:R80_10_JUMBO_HF_Bundle_T56_sk11638I have set hold mode,refer to screenshots below:TP configuration as follow:But the log shows as follow:Description:                  Connection was allowed because background classification mode was set. See sk74120 for more information."" is a C2 and malware site,as follow:I have set classification mode to hold,why still show "background classification mode was set"Thanks!

6500 performance

Hello everyone.we are going to implemente checkpoint 6500 in our network, we have 500 users and about 250 mb/s ISP traffic, but inside the network there will be about 8gb/s traffic between vlans, we have file shares and traveling video files between question is, does 6500 appliance able to operate without any problem in my scenario? 

HTTP Inspection in R80 - HTTP 0.9 Blocked

I have been kicking this around with support for a few weeks now and hoping to see if anyone else noticed this.We have been R77.30 for years and started upgrading to R80.20.  After upgrading the Security Gateways in a test site to R80 I started noticing some blocked traffic.The request is simply "GET /"The reason info isReason: illegal header format detected: Malformed HTTP protocol name in requestInformation: illegal header format detectedName: Block HTTP Non CompliantIt is definitely blocking due to the lack of version on the end of the request "GET / HTTP/1.0".  My argument is that HTTP 0.9 while not widely used is still used by large vendors like F5 on their default health checks.Has anyone else noticed this behavior when going from R77 to R80?My issue is I do not want to add an exclusion if I can avoid it because this would disable all HTTP inspection for our load balancers until we could change any health checks and there seems to be no way to still support HTTP 0.9Did CheckPoint deprecate HTTP 0.9 without any notice?Has anyone else noticed this?

Is it possible to export a list of Inspection settings?

Hi,Is it possible to export a list of Inspection settings, as can be done with IPS protections?For IPS there is "export view" action which exports the protections and the state.Thanks 

Help on IPS Blade Log

Hi,Since I activated IPS Blade I frequently log messages like with action Accept, source from internet and destination is the outside IP of the Gateway.On the Forensics Details I get:Reason: HTTP parsing error ocurred, bypass requestAnd the Precise Error is Illegal URLSince this is reported by IPS I suspect this is a possible form of attack. Why is it allowed? I did not configure an exception ...ThanksCarlos 

TP Policy and Connectivity Upgrade

Hello community,I'm familiar with ClusterXL connectivity upgrade and have done a few in the past.However, last week I had to upgrade the first cluster with TP blades using the connectivity upgrade path.I know the limitations regarding software blades, but I was quite surprised, that the guides do not mention a TP policy install at all during the whole process.When doing the first install with cluster object in database on new version (while member A is still on old version and member B already on new version (before the cphacu start command)), only the Access Policy is mentioned.When doing a final policy install at the end of the CU upgrade process, also only Access Policy is mentioned.When trying this in the lab, I got errors regarding the TP blades in SmartConsole for the updated cluster which disappeared after the first TP policy installation.I'm wondering if I should also install the TP policy directly after the first Access Policy install with new version (before cphacu start), or if it was correct to do so only after both members are upgraded.If it is important: Upgrade was done from R80.10 Take 479 Jumbo HFA Take 225 to R80.30 Take 200 (upgraded than to Jumbo HFA Take 50).Thank you for your thoughts.

IPS blade generates "General Notice: Internal error" logs

Hi guys,I noticed too many IPS logs with Attack name : General Notice, and Attack Information: Internal Error.Here is a screenshot : All sources are internal users going to proxy server, placed in DMZ segment of Checkpoint.I suspect that this log is generated when a user is rejected/denied access to some URL by the proxy.There are lot of such events, and I am trying to get rid of them, but cannot Add an exception or stop the protection as there is not such in the DB.Any recommendations?Thanks,Dilian