Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS best practice

I am interested in how people use IPS in R80.10.  In R77.30 we would go through the flagged list then set the relevant protections to detect for 7 days – we would then clear down the flags for the ones we do not set.  We would then review the logs to make sure there is no impact to legitimate site traffic (we have a customer facing SAAS platform) then we would set the flagged detects to protect and push policy.  We would then repeat the cycle over a two week period. 

In R80.10 I am thinking I would need to do the following to emulate this:-

  1. Set activation mode to Detect on high and medium confidence
  2. Set Activate IPS protections according to the following additional properties and select the vendors we want.
  3. Set newly update protections to activation detect in Staging
  4. Download the IPS update and push policy
  5. Review the logs filtered to staging protections after 7 days
  6. Set any that are affecting legitimate traffic to inactive (or add an exception)
  7. Set the rest to Prevent and push policy.

Repeat steps 4 -7

What do other people do? 



5 Replies
Employee Alumnus
Employee Alumnus

Hi, in a few days we will publish an "IPS Best Practices in R80.10".

This document is a recommendation, of course any customer can do what he prefers. The document is in its final stages of review.

Regardless of the Check Point document, we are always interested to hear you guys' processes. 


hi tomer,

any news on this document ?

0 Kudos
Employee Alumnus
Employee Alumnus

delayed by a couple of days unfortunately.. we will update here.

in the meantime your thoughts on Jon's notes?

Employee Alumnus
Employee Alumnus

Any word on an update for the guide? Thanks!

Employee Alumnus
Employee Alumnus

Apologize for the delays, please follow this thread - 


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events