Re: Inspection Settings

s_milidrag · ‎2019-03-19

Hi Check Mate

I am pretty confused about the difference between core protections and protections listed in Inspection settings.

What is the difference between them ?

In Inspection Settings there are two profiles "Recommended Inspection" and "Default Inspection"

By default "Default Inspection" profile is applied. Why not "Recommended Inspection" profile ?

What is a best practice & recommendation by Check Point ? Do we need to change this settings in a production enthronement ?

SM

Jerry · ‎2019-03-19

Inspection Settings

You can configure inspection settings for the Firewall:
◦Deep packet inspection settings
◦Protocol parsing inspection settings
◦VoIP packet inspection settings

The Security Management Server comes with two preconfigured inspection profiles for the Firewall:
◦Default Inspection
◦Recommended Inspection

When you configure a Security Gateway, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

To activate the Inspection Settings, install the Access Control Policy.

Note - In a pre-R80 SmartConsole, Inspection Settings are configured as IPS Protections.

--

more @ https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManagement_AdminGuid...

Jerry

HeikoAnkenbrand · ‎2019-03-19

Recommended Inspection profile is high pervormance intense.

Jerry · ‎2019-03-19

Agree with Heiko, however I do believe that that's the profile we all shoudl be using as it is sort of "bunch" of recommendations all-in-one and we all should be protected by at least a CLONE of that one Profile.
Default one is the one you got when SG is installed (depoyed) whilst the Recommended one is simply the MINIMUM version which afterwards should be customized and used per Gateway configuration.

just my 5 cents. the call is yours of course.

Jerry

s_milidrag · ‎2019-03-19

Thanks,

So it is not recommended to user Recommended Profile

Also I am confused about TCP Invalid Retransmission protection.

In Recommended Inspection profile action is Drop and in Default Inspection profile, action is Inactive.

Maybe I am wrong, but if something is Inactive, that means it is Accepted.

TCP Invalid Retransmission protection is declared as a high Important...

SM

Jerry · ‎2019-03-19

you may also find interesting comparing all this with following:

https://community.checkpoint.com/t5/IPS-Anti-Virus-and-Anti-Bot/Optimize-vs-Recommended-Protection/t...

Jerry

Timothy_Hall · ‎2019-03-19

Here is some content from my IPS Immersion class taking a shot an explaining the difference between Core Protections/Activations and Inspection Settings.

Spoiler

• There are actually four different “classes” of what might be considered IPS Protections under R80.10+ management. (Note that Geo Policy/Protection is the fourth, and will be covered later in Module 4) The subtle differences in how you work with each of these four classes is the source of a LOT of confusion. They are:

1. ThreatCloud Protections (~9,300+, shield icon)
2. Core Activations (~39, shield w/ firewall icon)
3. Inspection Settings (~150, wrench icon)
4. Geo Policy (Covered in Module 4)

• Although they were part of the IPS blade in R77.XX and earlier, Inspection Settings are now part of the Access Control policy layers and no longer part of IPS/Threat Prevention in R80+ management. They perform protocol inspection that is inherent in the gateway’s stateful inspection process, and have the following attributes:

◦ As shown above Inspection Settings are part of the Access Control policy layers, so if any changes are made to them, the Access Policy needs to be installed to the gateway.
◦ Similarly to Core Activations, all Inspection Settings are included with a new software release, and are not updated via IPS Updates from the Check Point ThreatCloud.
◦ Inspection Settings Exceptions are specified separately from Threat Prevention Exceptions, so the main Threat Prevention Global exceptions DO NOT apply.
◦ One, some, or all Inspection Settings signatures can be specified in a single Inspection Setting Exception rule for an R80.10 gateway. For an R77.30 gateway, Inspection Settings Exceptions must be specified in the IPS layer under Threat Prevention.
◦ Each gateway has exactly one Inspection Settings Profile assigned to it.

• For technical reasons, 39 Core Activations exist in a kind of “no–man’s land” between ThreatCloud Protections and Inspection Settings. They typically enforce protocol standards via a protocol parser, and have the following attributes:

◦ Instead of the typical Inactive/Prevent/Detect settings, “See Details...” appears instead
◦ Exceptions can only be added for a single Core Activation signature at a time, and the main Threat Prevention Global & Custom Exceptions DO NOT apply
◦ Core Activations ship with the product and are not modified or augmented by IPS Updates from the Check Point ThreatCloud
◦ Under R80+ management, if configuration changes are made to existing Core Activations, they can be made active on the gateway by:
▪ R77.XX gateway: Install the Access Control Policy
▪ R80.10+ gateway: Install the Access Control Policy (NOT Threat Prevention)

◦ Core Activations have a special “shield with firewall” icon and will typically have an “Advanced” screen where the Activation can be further tuned or adjusted.

• There are actually four different “classes” of what might be considered IPS Protections under R80.10+ management. (Note that Geo Policy/Protection is the fourth, and will be covered later in Module 4) The subtle differences in how you work with each of these four classes is the source of a LOT of confusion. They are: 1. ThreatCloud Protections (~9,300+, shield icon) 2. Core Activations (~39, shield w/ firewall icon) 3. Inspection Settings (~150, wrench icon) 4. Geo Policy (Covered in Module 4) • Although they were part of the IPS blade in R77.XX and earlier, Inspection Settings are now part of the Access Control policy layers and no longer part of IPS/Threat Prevention in R80+ management. They perform protocol inspection that is inherent in the gateway’s stateful inspection process, and have the following attributes: ◦ As shown above Inspection Settings are part of the Access Control policy layers, so if any changes are made to them, the Access Policy needs to be installed to the gateway. ◦ Similarly to Core Activations, all Inspection Settings are included with a new software release, and are not updated via IPS Updates from the Check Point ThreatCloud. ◦ Inspection Settings Exceptions are specified separately from Threat Prevention Exceptions, so the main Threat Prevention Global exceptions DO NOT apply. ◦ One, some, or all Inspection Settings signatures can be specified in a single Inspection Setting Exception rule for an R80.10 gateway. For an R77.30 gateway, Inspection Settings Exceptions must be specified in the IPS layer under Threat Prevention. ◦ Each gateway has exactly one Inspection Settings Profile assigned to it. • For technical reasons, 39 Core Activations exist in a kind of “no–man’s land” between ThreatCloud Protections and Inspection Settings. They typically enforce protocol standards via a protocol parser, and have the following attributes: ◦ Instead of the typical Inactive/Prevent/Detect settings, “See Details...” appears instead ◦ Exceptions can only be added for a single Core Activation signature at a time, and the main Threat Prevention Global & Custom Exceptions DO NOT apply ◦ Core Activations ship with the product and are not modified or augmented by IPS Updates from the Check Point ThreatCloud ◦ Under R80+ management, if configuration changes are made to existing Core Activations, they can be made active on the gateway by: ▪ R77.XX gateway: Install the Access Control Policy ▪ R80.10+ gateway: Install the Access Control Policy (NOT Threat Prevention) ◦ Core Activations have a special “shield with firewall” icon and will typically have an “Advanced” screen where the Activation can be further tuned or adjusted.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com