cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Why does IPS protections set to Prevent show Detect in log?

Jump to solution

IPS logs show only detect on protections which have action prevent on newly activated IPS blade.

The Access control policy drops this traffic destined to the external IF of the gateway, is this the reason for detect only action? I thought IPS policy was read before the access control policy. Am I missing something here?

1 Solution

Accepted Solutions

Re: Why does IPS protections set to Prevent show Detect in log?

Jump to solution

Your gateway is probably in "detect-only" mode:

0 Kudos
3 Replies

Re: Why does IPS protections set to Prevent show Detect in log?

Jump to solution

Your gateway is probably in "detect-only" mode:

0 Kudos

Re: Why does IPS protections set to Prevent show Detect in log?

Jump to solution

Indeed it's in 'detect only' mode. I actively decided to put new activations in staging mode so that I can check what updates do before i deploy them. I only help out this customer once a week so I wouldn't be able to deal with false positives on other days. So I thought that 'detect only' mode reflected that new activations go into staging.

But, I thought this would only affect future updates. When I check my IPS protections, there are none in staging mode. This is what puzzled me.

I'll change to 'According to Threat Prevention policy' instead! That shouldn't untick the staging box under updates I suppose.

Thanks to both of you Benjamin and Günther!

0 Kudos

Re: Why does IPS protections set to Prevent show Detect in log?

Jump to solution

By default in most IPS Profiles, newly–downloaded ThreatCloud IPS Protections are set to Detect via “Staging Mode”. IPS Protections in Staging Mode are in a provisional mode and will not start preventing traffic until configured to do so by an administrator.

This is from Timothy Hall and found here