cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Threat Prevention Policy Layers

Hi All

We have a situation where R80.10 Mgmt/GW we have created multiple Threat Prevention (TP) rules, each rule with different blade (Profile) enable, 

e.g.

Rule 1- IPS

Rule 2 - AV

Rule 3 - Threat Prevention

Isn't Check Point supposed to go through each and every rule and execute all blades?

What we see it just hits the first rule (IPS) blade and other rules has no hits, for example TP has no hits or files uploaded to CP cloud for analysis, same with AV

If I edit the first rule and configure it enable all the blades it works.

Is this normal behavior?

7 Replies
Admin
Admin

Re: Threat Prevention Policy Layers

Yes it's expected behavior as we only look at subsequent layers if the previous layers did not block the traffic (applies to both Access Control and Threat Prevention).

The only reason you would separate threat prevention blades into different layers is for Pre-R80 gateways (and specifically only IPS).

0 Kudos

Re: Threat Prevention Policy Layers

Hi Dameon

But this does not make sense, traffic is not blocked by the layers, all AV, IPS and TP are just doing login only so traffic should still go to the other layers below right

0 Kudos

Re: Threat Prevention Policy Layers

Hi,

If you want to allocate different profiles for different blade usages, and have a different rule matched per blade but for the same traffic, then Threat Prevention Layers are the way to go.

Make a separated layer per blade. When traffic matches on multiple layers, they are combined so that the strictest matters. So in that case, the layer that has a rule with a particular blade activated will be matched when traffic relevant to that blade passes.

Let me know if you have more questions about this.

0 Kudos

Re: Threat Prevention Policy Layers

Thanks Tomer and Dameon for the reply, but I am not still very clear on this, is there any document that describes how Threat prevention policy works with multiple layers, I do understand how it works with Access policy is it different from TP policy

See the below current policy, Protected scope is different for each rule but they have overlapping networks between them,

My understanding was as long as traffic is not blocked it should go trough all 3 layers and match all 3 profiles, but what we see is it only matches with first layer (in this case AV)

0 Kudos
Admin
Admin

Re: Threat Prevention Policy Layers

Threat Prevention blades in general only generate logs if something is blocked or scanned.

Specific to your example.

  • IPS only generates logs if traffic triggers an active IPS signature. Otherwise, no log is generated.
  • Threat Emulation only generates a log entry if an actual file is emulated and/or Threat Extraction is performed.
  • Anti-Virus logs what it is able to scan (file/URL).

The fact you're only seeing AV logs, therefore, is most likely expected behavior.

Re: Threat Prevention Policy Layers

You have 3 rules all in the same TP layer in your screenshot.  If it matches the first one it will never reach rules 2 and 3.  To do what you want Rule 1 needs to be in its own TP layer, original Rule 2 should be Rule 1 in a second TP layer, original Rule 3 will now be Rule 1 in a third TP layer like this:

In that case all 3 layers (with 1 rule each) will be evaluated simultaneously and the most strict action taken, unless there is an exception present.  Only one rule can match inside the same TP layer.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Threat Prevention Policy Layers

Hi Tim

That is great, I just understood what was the issue, I have actually added 3 rules to the same layer thinking I have created 3 separate TE layers

Thanks for the explanation.