Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ruben_Starkovsk
Explorer
Jump to solution

Difference between "Protected Scope" and "Destination"

Whats the difference between "Destination" and "Protected Scope" in the Threat Prevention policy and Global Exception rules and when would you use either?

0 Kudos
2 Solutions

Accepted Solutions
Daniel_Taney
Advisor

I believe "Protected Scope" is used in the Threat Prevention policy to designate an entity that you want protected (i.e. a single host, group of hosts, network, etc...). It is my understanding that this applies the protections in the policy to those nodes whether the malicious traffic is inbound or outbound. 

Whereas "Destination" would only apply the rule to traffic headed outbound. 

R80 CCSA / CCSE

View solution in original post

0 Kudos
Timothy_Hall
Champion
Champion

Protected Scope means match/scan all traffic going to/from this object regardless of which way the connection was originally initiated, as generally we don't care about "directionality" for the process of Threat Prevention.  We most certainly do care about that in Access Control policies.

If however the hidden Threat Prevention Source/Destination policy fields are exposed then populated (they both default to Any), you are implying directionality for what you want to scan.  So if in your TP policy Source is "net1", Destination is Any, and Protected Scope is Any, only connections initiated from net1 and the replies will match that rule and be scanned via the associated profile.  Connections initiated from outside net1 into it will not match that TP rule at all for traffic in both directions.

I got this question a lot in various classes so here is the coverage of this topic from my 2021 IPS/AV/ABOT Video Series class:

tp_src_dst.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
3 Replies
Daniel_Taney
Advisor

I believe "Protected Scope" is used in the Threat Prevention policy to designate an entity that you want protected (i.e. a single host, group of hosts, network, etc...). It is my understanding that this applies the protections in the policy to those nodes whether the malicious traffic is inbound or outbound. 

Whereas "Destination" would only apply the rule to traffic headed outbound. 

R80 CCSA / CCSE
0 Kudos
cosmos
Advisor

I would like to know what the official answer is from Check Point.... anyone?

0 Kudos
Timothy_Hall
Champion
Champion

Protected Scope means match/scan all traffic going to/from this object regardless of which way the connection was originally initiated, as generally we don't care about "directionality" for the process of Threat Prevention.  We most certainly do care about that in Access Control policies.

If however the hidden Threat Prevention Source/Destination policy fields are exposed then populated (they both default to Any), you are implying directionality for what you want to scan.  So if in your TP policy Source is "net1", Destination is Any, and Protected Scope is Any, only connections initiated from net1 and the replies will match that rule and be scanned via the associated profile.  Connections initiated from outside net1 into it will not match that TP rule at all for traffic in both directions.

I got this question a lot in various classes so here is the coverage of this topic from my 2021 IPS/AV/ABOT Video Series class:

tp_src_dst.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events