Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mikel_Aanstoot
Contributor

IPS, Follow Up & Staging

Hello,

I have read a couple of discussions but could not find something completely related to my question. The (long) introduction:

In R77.30 SmartDashboard there was the flag Follow Up option for IPS which I found very useful and new IPS signatures where marked Bold. My work process was that after an IPS update I went to the signature list and flagged the Follow Up for each signature I prevented or detected. When for some reason after the IPS installation we noticed unwanted behaviour it probably had to do with the new IPS signatures and it was easy to find because of the flagging. Narrowed it down immediately. When a new IPS update was downloaded I unflagged the previous update signatures.

Then in R80.10 Smartdashboard, there was no flagging follow up anymore but staging was introduced. This was a bit annoying for the way I work that staging disappeared straight away after changing a signature to prevent or detect and you could not see the latest changed actions signatures.

So in R80.20 smartdashboard I was very happy the flag follow up option returned lia_slightly-smiling-face With the flagging option I could see my last changed signatures again and the flag follow up would stay up to the moment I choose to unflag it

But now this morning I installed version R80.20 SmartConsole 992000046 and once again I went to my signature list and after selecting a flagged signature and changed the status to Prevent it immediately removed the follow up flag and staging status. So I am in the same situation as with R80.10.

I had hoped that the follow up flag would stay up to the moment I uncheck the Follow Up checkbox and not automatically after a change in Action. Is there a reason this has been changed, or is it a bug, or am I doing something wrong (which can be very well the case... )

kind regards,

Mikel

0 Kudos
13 Replies
Timothy_Hall
Champion
Champion

If staging is not currently set on an IPS protection, changing the action of a profile referencing that signature does not seem to affect the status of the Follow Up flag in R80.20.  If staging and the Follow Up flag are both set for a protection, clearing staging for the profile referencing that IPS protection does seem to clear both staging mode and the Follow Up flag together for that protection as you observed.  There doesn't seem to be a way to disable this behavior, at least that I can find.

My interpretation of why the Follow Up flag returned in R80.20 is that new/updated ThreatCloud protections for the first time are not set to staging mode by default under a fresh R80.20 install.  If you have upgraded from R80.10 or earlier where newly downloaded protections were placed in staging mode due to the "set activation as staging mode" checkbox in your profile(s) being set, that staging behavior remains for new/updated protections after the upgrade to R80.20.  Also note that the ability to add a separate comment to each and every IPS protection has returned in R80.20 as well, which can be really useful for documenting any customizations/exceptions related to this protection, or hints about exactly how it may have caused production impacts in the past.

Anyway this would seem to be a question for @Smadi_Paradise's team, I'm tagging her here in hopes that she or her team will see this post and respond.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Mikel_Aanstoot
Contributor

Thanks for the reply Timothy. I see indeed that in one profile I have the Newly updated protections to Active with Set activation as staging mode and one profile only Active without staging. Both have same behaviour. In my interpretation of Follow Up it means you want to Follow Up on that signature (let's say you first want to detect only to see what happens before you go for a prevent or an inactive and you don't want it to slip away from your attention). I had expected it to be a "sticky" follow up. I found that very useful.

 

0 Kudos
Vladimir
Champion
Champion

>>in one profile I have the Newly updated protections to Active with Set activation as staging mode and one profile only Active without staging. Both have same behaviour. <<

Please clarify if both profiles result in the protections being Staged and if both profiles are those that came pre-packaged with R80.20 (Basic, Optimized or Strict).

I have performed a number of deployments with cloned profiles set to activate according to profile settings and am not seeing anything in staging on those.

0 Kudos
Mikel_Aanstoot
Contributor

I attached document with the screenshot with behaviour. Indeed this happens only with the IPS profile with the checkbox Set activiation as staging mode in Newly Updated Protections

Timothy_Hall
Champion
Champion

Yep your screenshots represent exactly what I saw in my testing as well with R80.20.  Tried it in the R80.30 EA SmartConsole and this behavior is the same there as well.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

I am interested in the significance of the "Detect" icon being shown in Blue on your screenshots.

My understanding was that it should be yellow:

image.png

0 Kudos
Timothy_Hall
Champion
Champion

That icon is now blue by default in the R80.20 SmartConsole.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
TP_Master
Employee
Employee

Hi Tim

Regarding this 


@Timothy_Hall wrote:

My interpretation of why the Follow Up flag returned in R80.20 is that new/updated ThreatCloud protections for the first time are not set to staging mode by default under a fresh R80.20 install.  If you have upgraded from R80.10 or earlier where newly downloaded protections were placed in staging mode due to the "set activation as staging mode" checkbox in your profile(s) being set, that staging behavior remains for new/updated protections after the upgrade to R80.20.  Also note that the ability to add a separate comment to each and every IPS protection has returned in R80.20 as well, which can be really useful for documenting any customizations/exceptions related to this protection, or hints about exactly how it may have caused production impacts in the past.

Actually some "behind the scenes" :

The Follow Up flag returned because it was requested by our users 🙂 we listened to their requests and decided to return it. In R77 the staging and follow-up flag were the same feature, and we thought that filtering by "Staging" under the "IPS Protections" screen in R80.X SmartConsole would yield the same results. However user feedback made us rethink this and I'm glad we could quickly add it back.

The decision to change the default for the staging mode (setting "according to profile" / Prevent by default) was taken due to the fact we have extremely progressed in monitoring and responding to False Positive cases. We had very little in the past few years, but as time went by we gained enough confidence to tell our customers - you don't need to worry about false-positives, we won't have them. This change of default is actually a statement about how much we believe our IPS signatures.

 

HTH

0 Kudos
Mikel_Aanstoot
Contributor

Hi,

As I mentioned I was very happy that the follow up flag returned so I am glad Checkpoint listened to customers like myself. And I like the confidence statement about the behaviour of the flagging/staging in the according to profile. And here comes the But....  😉 But my point of view is that follow up is precisely what it is, I want to follow up on this regardless the default behaviour or setting. It might be for other reasons as false positives. So if you want to receive lots of kudo's from me I really would like to have the follow up flag stay up to the moment I decide to unflag it 😀.

kind regards,

Mikel

0 Kudos
CPIshai
Employee Alumnus
Employee Alumnus

Hi all, 

I want to reproduce the same behavior to see what exactly happens here,  can you please explain in details how did you remove the "Staging" from the protection?

The Staging and the Follow-Up flag should not have any connection between the two. 

Also, If you can add the R80.20 version that you use that will be appreciated.

Thanks,
Ishai 

 

 

0 Kudos
Mikel_Aanstoot
Contributor

Hi, in document the steps and screenshots. It might be that I need to work differently with the filters

0 Kudos
CPIshai
Employee Alumnus
Employee Alumnus

Hi Mikel, 

Thank you for your example. 

The relation between the filters is an "AND" relation and not "OR", so when you remove the Staging mode it automatically goes away from your view because the Staging Facet is selected.

In your second example, the reason that the protection was still viewed is that it was still on "Staging" on the NV profile.

What I am interested to know is what happened to the Follow-up flag of "Rockwell Automation Multiple Controllers Open Redirect" protection, was it still Marked as follow up? 

Thanks again for your cooperation!

Ishai 

0 Kudos
Mikel_Aanstoot
Contributor

Hi Ishai,

yes, you are correct, when switching to only Follow UP the protection still has the Follow Up. Sorry for missing that.

kind regards,

Mikel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events