Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jon_Dyke
Contributor

IPS best practice

I am interested in how people use IPS in R80.10.  In R77.30 we would go through the flagged list then set the relevant protections to detect for 7 days – we would then clear down the flags for the ones we do not set.  We would then review the logs to make sure there is no impact to legitimate site traffic (we have a customer facing SAAS platform) then we would set the flagged detects to protect and push policy.  We would then repeat the cycle over a two week period. 

In R80.10 I am thinking I would need to do the following to emulate this:-

  1. Set activation mode to Detect on high and medium confidence
  2. Set Activate IPS protections according to the following additional properties and select the vendors we want.
  3. Set newly update protections to activation detect in Staging
  4. Download the IPS update and push policy
  5. Review the logs filtered to staging protections after 7 days
  6. Set any that are affecting legitimate traffic to inactive (or add an exception)
  7. Set the rest to Prevent and push policy.

Repeat steps 4 -7

What do other people do? 

Thanks

Jon

5 Replies
Tomer_Sole
Mentor
Mentor

Hi, in a few days we will publish an "IPS Best Practices in R80.10".

This document is a recommendation, of course any customer can do what he prefers. The document is in its final stages of review.

Regardless of the Check Point document, we are always interested to hear you guys' processes. 

aner_sagi
Contributor

hi tomer,

any news on this document ?

0 Kudos
Tomer_Sole
Mentor
Mentor

delayed by a couple of days unfortunately.. we will update here.

in the meantime your thoughts on Jon's notes?

K__P__Kennedy
Employee Alumnus
Employee Alumnus

Any word on an update for the guide? Thanks!

Tomer_Sole
Mentor
Mentor

Apologize for the delays, please follow this thread - https://community.checkpoint.com/message/13840-r8010-ips-best-practices-guide 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events