Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Reinhard_Stich1
Explorer

IPS tags

hi,

who is managing IPS profiles based on tags? what's your experience?

what I am looking for is a documentation of the tags that check point is using to understand what makes sense.

example: there is a "product" and a "vendor" named "apache". what's the difference? today I have to go through the protections to find out ...

thanks for any helpful link 🙂

br

reinhard

5 Replies
Tomer_Sole
Employee Alumnus
Employee Alumnus

Hi, generally "Vendor" refers to all products that are under a specific vendor, for example, Adobe or Apache. "Product" is the specific product under that vendor, for example "Adobe Acrobat" or "Apache Web Server". The Product:Apache tag is a bug in the current version.

hope this helps

0 Kudos
Juan_Concepcion
Advisor

So if I go into a profile and enable the "Vendor" under "Protections to Activate" my assumption was that it would re-analyze the profile and activate the protections in the profile but they still remain in "Staging" - under the "Protections to Deactivate" it seems to be following the same behavior??

The second question is that if I set it to "Product" how do I determine what product i'm applying it to as it doesn't give an option to select the specific "Vendor" "Product"???

Editing as I just re-read - am i to understand that regardless of how the profile Activate/Deactivate is set the protections will still come in as staging??  Maybe that is where I'm confused as I believe that these settings would modify the setting in the profile that was being modified.

Activate IPS protections according to the following additional properties - When selected, the categories configured on this page modify the profile’s IPS protections.

  • Protections to activate - The IPS protection categories in this section are enabled on the Security Gateways that use this Threat Prevention profile.
  • Protections to deactivate - The IPS protection categories in this section are NOT enabled on the Security Gateways that use this Threat Prevention profile.

These categories will only filter out or add protections that comply with the activation mode thresholds (Confidence, Severity, Performance).

For example, if a protection is inactive because of its Performance rating, it will not be enabled even if its category is in Protections to activate.

--Juan

0 Kudos
Djo
Participant

Hi, i'm bring back this topic on light to understand how the activate/deactivate on IPS additional properties is prioritised when tag overlaps. Could someone explain how this is going to behave ?

0 Kudos
Timothy_Hall
Champion
Champion

You brought up a good question that I didn't know the answer to, so I checked it in my lab.

It looks like ultimately "Protections to Deactivate" in an IPS-enabled profile will take absolute priority over "Protections to Activate".  Example:

Protections to Activate: Tag Threat Year 2014

Protections to Deactivate: Tag Threat Year 2014

Result: All protections tagged with Threat Year 2014 are Inactive

---------

Protections to Activate: Tags Vendor Wordpress & Product Wordpress

Protections to Deactivate: Tag Threat Year 2014

Result: All protections tagged with Threat Year 2014 (including those tagged with Wordpress) are Inactive

Just remember for these additional activations/deactivations to have an effect, the protection must meet the Severity/Performance Impact/Confidence criteria first.  So in other words if your IPS profile is set to only enable protections with a Performance Impact of "Medium or Lower", a tag placed under "Protections to Activate" matching an IPS protection with a Performance Impact rating of "High" will NOT forcibly enable that protection in this case.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
(1)
Djo
Participant

Thank Timothy, it make sense when i'm reading and didn't think to try that check on random profil. Now i have to make the cooking recipe. Thank you Cheers

0 Kudos