This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jon_Dyke
Contributor
‎2017-11-23 07:29 AM

IPS best practice

I am interested in how people use IPS in R80.10.  In R77.30 we would go through the flagged list then set the relevant protections to detect for 7 days – we would then clear down the flags for the ones we do not set.  We would then review the logs to make sure there is no impact to legitimate site traffic (we have a customer facing SAAS platform) then we would set the flagged detects to protect and push policy.  We would then repeat the cycle over a two week period. 

In R80.10 I am thinking I would need to do the following to emulate this:-

  1. Set activation mode to Detect on high and medium confidence
  2. Set Activate IPS protections according to the following additional properties and select the vendors we want.
  3. Set newly update protections to activation detect in Staging
  4. Download the IPS update and push policy
  5. Review the logs filtered to staging protections after 7 days
  6. Set any that are affecting legitimate traffic to inactive (or add an exception)
  7. Set the rest to Prevent and push policy.

Repeat steps 4 -7

What do other people do? 

Thanks

Jon

5 Replies
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2017-11-23 07:48 AM

Hi, in a few days we will publish an "IPS Best Practices in R80.10".

This document is a recommendation, of course any customer can do what he prefers. The document is in its final stages of review.

Regardless of the Check Point document, we are always interested to hear you guys' processes. 

aner_sagi
Contributor
‎2017-12-04 01:47 AM
In response to Tomer_Sole

hi tomer,

any news on this document ?

0 Kudos
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2017-12-04 02:11 AM
In response to aner_sagi

delayed by a couple of days unfortunately.. we will update here.

in the meantime your thoughts on Jon's notes?

K__P__Kennedy
Employee Alumnus
Employee Alumnus
‎2018-01-10 07:42 AM
In response to Tomer_Sole

Any word on an update for the guide? Thanks!

Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-02-05 11:47 PM

Apologize for the delays, please follow this thread - https://community.checkpoint.com/message/13840-r8010-ips-best-practices-guide