Actually, IPS Core Protections and Inspection Settings are 2 different things although both installed with Access Control. I wrote about it at https://community.checkpoint.com/thread/5159-where-did-all-my-ips-protections-go 

It would be less confusing if they were listed as part of Inspection Settings, IMO.

By separating them from IPS protections, it's clear:

• These protections aren't actually IPS protections (they were just lumped with IPS protections in R70-R77.x)
• These protections do not require an IPS license to use (because they are actually enforced in the Firewall, not IPS)
• An Access Policy (Firewall) policy push is required to make changes to the configuration

As far as I know, there are no plans to change this. 

Hey Dameon,

I understand Core Protections and Inspection Settings are both enforced in the firewall and applied with Access Policy, but what differentiates them from Threat Cloud protections? From what I can tell, it appears that Inspection Settings deal with network packets that are not exhibiting 'normal' behavior but Core Protections have CVE reference numbers similar to Threat Cloud protections so that's where I'm a bit lost in understanding the difference.

As described in my IPS class, Core Protection/Activations are protections that are in a bit of a "no man's land" between Inspection Settings and IPS ThreatCloud protections.  The only clarification I've been able to get about why Core Protections are handled like this is for "technical reasons".  I suspect that one of the technical reasons was the ability to use Protected Servers definitions to more precisely control which defined servers would have these Core Activations applied to them.  The Protected Servers mechanism is obsolete in R80.10+ due to the ability to apply different IPS profiles to the same gateway with separate Threat Prevention rules.  Another reason might be that they are not typically just set to Prevent/Detect/Inactive and have various individual adjustments under a "See Details..." link; and also that exceptions must be added for each Core Protection individually.  You can't add a single exception rule for a group of Core Activations or for "Any" of them.

Most of the Core Activations look like they belong under Inspection Settings to me since they are looking for various network protocol weaknesses.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Thank you Tim, that is helpful

Note that Geo Protection (now called "Geo Policy" in R80+ management) was also separated from the IPS blade and has its own profile assignments per gateway.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

And in R80.20, you can do Geo rules in the regular Access Policy

> And in R80.20, you can do Geo rules in the regular Access Policy 

How is this done in R80.20?  Can't seem to find it...

Using GEO Location Objects in Firewall Policy (with Dynamic Objects), brilliant as it is, doesn't count.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Click on the + in the Source/Destination field of a rule.

Select Import > Updatable Objects.

You can find updatable objects for:

• AWS Services
• Office 365
• Country Objects

Because Geo Policy can now be implemented directly in the Network Policy Layer (among others) using updatable objects in R80.20 management, I assume these can be applied via policy to the Gaia Embedded appliances models 1100-1400 running R77.20.XX?  There has been a longstanding limitation that these models do not directly support the separate Access Control Geo Policy/Protection feature (which I assume still applies in R80.20), but using these updatable objects as shown above appears to be a way to achieve the same effect on these models via the main Access Control policy layers.  Is my assumption correct Dameon Welch-Abernathy‌?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

This feature requires R80.20 gateway support as the updating of these objects occurs on the gateway.

Which means the SMB appliances do not support this functionality currently.