This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
MVP Gold
MVP Gold
‎2018-10-31 02:31 AM

Another SmartConsole Usability Issue

Today I decided to re-work a bit the IPS protections of our gateways. What seemed like a 10 minutes job turned to be an hour nightmare of fighting with the SC interface.

I am using latest R80.10 SmartConsole installed on decent hardware - SSD, 8GB RAM, 1GB LAN connection to management server.

So, my goal was to go and disable some protections. Initially I put filter to display only Medium protections which are 8205 here. Then I went to filter by Vendor. I wanted to select all but two vendors. I could not do that because there is no possibility to select all vendors and then deselect the two I wanted. Oh, well.... I tried to click them one-by-one but on every click it will try to refresh the table and that takes time of course. I patiently selected only few of the vendors as a starting point. An 'Apply Filter' button could have made wonders here btw.

So, I took some time to relax and continued with sorting table by action type. Those with Prevent on the top. I selected all of them and tried to change action to Inactive. I got a nice pop-up telling me this operation is not supported. I tried to select only few of them and that worked. Why? Can't you handle like 200 protections at once?

Patiently again I started selecting them in chunks. Every time I did that and it will re-sort table. That implied a lot of scrolling back and forth... Not to mention time it takes.

On one of these scrolls SmartConsole crashed and I had to re-launch it and start all over again. That really pissed me off. Crash report sent for investigation of course.

I am not questioning the performance here although I have seen UIs that handle such operations much better. But the usability.... And this is not the only place in SC where I run into such issues. For example, if I expand Exceptions in IPS policy next time I start SC it will be collapsed again and I have to expand it again... etc...

So guys, please invest some time not only making UI feature reach but also more usable and convenient also.

Thanx for this otherwise great product, there are many good things also of course. 

7 Replies
D_W
Advisor
‎2018-10-31 04:55 AM

I totally agree with you. Especially the IPS Protection part is really a pain to work with in SC R80.10.
My greatest issues in addition to yours are:

  •  the number of estimated items next to a filter option (the number in brackets next to the option) is some unreproducible fantasy number. For example at staging it shows 6714. So you would assume more than 6k of protections are staging...
  • When all staging protections are corrected and the filter is still marked for staging protections the whole Filters area is not available. You have to click to some other areas in the left "Threat Tools" menu on the left and back again to bring the filter up again.

  • in R77.30 you were able to mark the protection options for each Profile with the mouse for multiple changes. So left click on one protection hold the mouse button and move the mouse to the next protections. This is not working anymore. Only left click and shift+left click is working.
  • long waiting time and now visible response from the GUI till it is finished when you modify more than one protection at the same time

That are the points that came quickly into my mind So this area is still a work in progress and far from finished.

Cheers,
David

HristoGrigorov
MVP Gold
MVP Gold
‎2018-10-31 05:22 AM
In response to D_W

I confirm I have the same problem with staging protections. Only that until now I was thinking I am doing something wrong Smiley Happy

0 Kudos
Mo_Imran
Participant
‎2018-12-13 01:44 AM
In response to D_W

I experienced the same issue following migration from R77.30 to R80.10 which was raised with support and acknowledged an issue but no fix. 


What i did was deleted the rule from the "IPS" section which appears following the migration and added the corresponding rule under "Threat Prevention" -> "Policy" , which removed the old schema/structure and installed database and pushed policy.

This then resolved the issue and when selecting "staging" it showed the signatures marked as the same correctly. However please note that you need to ensure signatures following an update are set to staging as per Timothy's detailed post below.

HTH

0 Kudos
Marco_Valenti
Advisor
‎2018-10-31 10:17 AM

working with ips protection is a nightmare at the moment indeed

Timothy_Hall
MVP Gold
MVP Gold
‎2018-10-31 12:16 PM

For selecting multiple IPS protections and trying to clear staging for them (or doing any other operation such as setting Prevent or Detect) hitting CNTRL-A will select them all.  Unfortunately trying to do some kind of bulk operation from the menus such as Clear Staging will not work if you select them all this way, so CNTRL-A must be pulling in some other kind of ineligible object with the IPS Protections.  Edit: A student pointed out that in some case selecting the first protection, holding down the SHIFT key, then repeatedly hitting PgDn will sometimes work.  Read this though for a workaround I know will do the job:

Working with Protections in Staging Mode

  • By default in most IPS Profiles, newly–downloaded ThreatCloud IPS Protections are set to Detect via “Staging Mode”. IPS Protections in Staging Mode are in a provisional mode and will not start preventing traffic until configured to do so by an administrator.

  • On the Configure button additional exclusions can be defined based on the level of Performance Impact and Severity of the new IPS Protections.

  • Note that starting in R80.20 management, the default IPS Profiles will no longer place newly updated or added IPS Protections in Staging/Detect mode by default.

  • The Staging IPS filter located under Queries on the Logs & Monitor tab can be used to examine logs emanating only from IPS Protections currently set in Staging/Detect mode. Make any needed adjustments to the IPS Protections in Staging mode until you are satisfied that they are all ready to be set to Prevent Mode. Go to the Security Policies...IPS Protections screen then select Activations...Staging from the Filters tab:

  • Select all IPS Protections displayed using the mouse and SHIFT key.

    Advanced Tip: If all the IPS Protections cannot be displayed on one screen, highlight the first Protection by left–clicking it once with your mouse. Next left–click and hold on the down arrow caret (circled in the screenshot – you may need to hover your mouse pointer over it to make it visible) until you reach the bottom of the Protection list. Hold down the SHIFT key then left–click the final Protection at the bottom of the list once. All Protections in the entire list should now be selected. Note that trying to scroll down using any technique other than the down arrow caret will deselect the first Protection you highlighted.

  • Now select Actions...Selected Protections...Clear Staging as shown above. Staging/Detect mode has now been cleared on all selected Protections.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-11-03 01:59 AM

It might be able to assist with the challenges:

1. create profile base on tags : SmartConsole R80.20 Help 

2. R8X provides API to modify protections action:  Check Point - Management API reference 

   - Exceptions also available via API: Check Point - Management API reference 

3. R80.X provides option to export the protections into CSV file  

HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-12 10:19 PM

Another interesting "feature" I found today... If you limit Hits column in a policy to say 1 Month and then switch back and forth Network and Applications policies, Hits column will automagically disappear in both policies. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events