Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS Protections in Detect (Staging)

With R80.10, the new default profile "Optimized" sets all newly downloaded IPS protections to be in state "detect (staging)" or "inactive".

1. We start with the general page. It has settings in which a protection should be in detect, prevent, or inactive.



2. Then, in the "updates" page, we see that newly downloaded protections are automatically set to "Detect". This means that:

  1. If a newly downloaded protection was supposed to be in "prevent", it will be set as "detect (staging)".
  2. If a newly downloaded protection was supposed to be in "detect", it will be set as "detect (staging)".
  3. If a newly downloaded protection was supposed to be in "inactive", it will remain inactive.


3. Sometimes an IPS update issues an update to an existing protection. In this case, the updated protection is back to "newly downloaded protection" state, which leaves it as either in "detect (staging)" or "inactive".


It is important to remember these things, because it requires you to manage your staging protections - otherwise they will not be in Prevent mode.


You can do that either from:

1. IPS Protections page with the filter for "Staging" status


2. Logs that appear in the query page for "IPS --> Staging"




You can also automate some of this work:

1. Apply additional configuration which excludes some protections from the "Detect (Staging)" status, leaving them with Prevent or Detect or Inactive.



2. Automatically change protections to Inactive based on tags.



3. Using the show threat-protections and set threat-protection API commands, you can create an automatic reaction which automatically changes the action from "Detect (Staging)" to "Prevent" or "Inactive" based on custom decision factors.


set threat-protection name "Aggressive Aging" overrides.remove.1 "New profile 1" overrides.remove.2 "New Profile 2"

6 Replies


Thank you for this write-up.

Can you tell me if there is a way to trigger automatic notification if existing protection is updated and has reverted to staging mode?

You could go over all protections that have an override for a profile with Detect (Staging) and see if their release date != update date as well as update date is somewhat recent, then it's probably in detect (staging) due to being updated recently.

0 Kudos


I am trying to figure out the way to avoid doing it manually or, at the very least, to be notified about the changes of state of updated protections.

The method you are describing is less than convenient and is not necessarily conclusive.

In particular, in SMB scenarios, where CP administration is only a part of the IT admin duties, people tend to configure protections and not looking at them daily.

Being able to discern if any of those changed state, without combing through all, would be beneficial.


0 Kudos

You could subscribe to receive IPS News email. The newsletter informs you of new protections and updated protections separately. Not ideal, but it helps me.

0 Kudos

Good Information of R80.10

0 Kudos

Based on sk142432 I wanted to add R80.20 now changes new and out of the box profiles to disable staging and instead set protections "According to profile settings". This sk also suggests making this change for R80.10 profiles as well.


What I wouldn't mind knowing from anyone is whether this is suggested on SMB gateway's IPS Profiles or not.

0 Kudos