Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS tags


who is managing IPS profiles based on tags? what's your experience?

what I am looking for is a documentation of the tags that check point is using to understand what makes sense.

example: there is a "product" and a "vendor" named "apache". what's the difference? today I have to go through the protections to find out ...

thanks for any helpful link 🙂



5 Replies

Hi, generally "Vendor" refers to all products that are under a specific vendor, for example, Adobe or Apache. "Product" is the specific product under that vendor, for example "Adobe Acrobat" or "Apache Web Server". The Product:Apache tag is a bug in the current version.

hope this helps

0 Kudos

So if I go into a profile and enable the "Vendor" under "Protections to Activate" my assumption was that it would re-analyze the profile and activate the protections in the profile but they still remain in "Staging" - under the "Protections to Deactivate" it seems to be following the same behavior??

The second question is that if I set it to "Product" how do I determine what product i'm applying it to as it doesn't give an option to select the specific "Vendor" "Product"???

Editing as I just re-read - am i to understand that regardless of how the profile Activate/Deactivate is set the protections will still come in as staging??  Maybe that is where I'm confused as I believe that these settings would modify the setting in the profile that was being modified.

Activate IPS protections according to the following additional properties - When selected, the categories configured on this page modify the profile’s IPS protections.

  • Protections to activate - The IPS protection categories in this section are enabled on the Security Gateways that use this Threat Prevention profile.
  • Protections to deactivate - The IPS protection categories in this section are NOT enabled on the Security Gateways that use this Threat Prevention profile.

These categories will only filter out or add protections that comply with the activation mode thresholds (Confidence, Severity, Performance).

For example, if a protection is inactive because of its Performance rating, it will not be enabled even if its category is in Protections to activate.


0 Kudos

Hi, i'm bring back this topic on light to understand how the activate/deactivate on IPS additional properties is prioritised when tag overlaps. Could someone explain how this is going to behave ?

0 Kudos
Legend Legend

You brought up a good question that I didn't know the answer to, so I checked it in my lab.

It looks like ultimately "Protections to Deactivate" in an IPS-enabled profile will take absolute priority over "Protections to Activate".  Example:

Protections to Activate: Tag Threat Year 2014

Protections to Deactivate: Tag Threat Year 2014

Result: All protections tagged with Threat Year 2014 are Inactive


Protections to Activate: Tags Vendor Wordpress & Product Wordpress

Protections to Deactivate: Tag Threat Year 2014

Result: All protections tagged with Threat Year 2014 (including those tagged with Wordpress) are Inactive

Just remember for these additional activations/deactivations to have an effect, the protection must meet the Severity/Performance Impact/Confidence criteria first.  So in other words if your IPS profile is set to only enable protections with a Performance Impact of "Medium or Lower", a tag placed under "Protections to Activate" matching an IPS protection with a Performance Impact rating of "High" will NOT forcibly enable that protection in this case.

Gateway Performance Optimization R81.20 Course
now available at

Thank Timothy, it make sense when i'm reading and didn't think to try that check on random profil. Now i have to make the cooking recipe. Thank you Cheers

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events