- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
hi,
who is managing IPS profiles based on tags? what's your experience?
what I am looking for is a documentation of the tags that check point is using to understand what makes sense.
example: there is a "product" and a "vendor" named "apache". what's the difference? today I have to go through the protections to find out ...
thanks for any helpful link 🙂
br
reinhard
Hi, generally "Vendor" refers to all products that are under a specific vendor, for example, Adobe or Apache. "Product" is the specific product under that vendor, for example "Adobe Acrobat" or "Apache Web Server". The Product:Apache tag is a bug in the current version.
hope this helps
So if I go into a profile and enable the "Vendor" under "Protections to Activate" my assumption was that it would re-analyze the profile and activate the protections in the profile but they still remain in "Staging" - under the "Protections to Deactivate" it seems to be following the same behavior??
The second question is that if I set it to "Product" how do I determine what product i'm applying it to as it doesn't give an option to select the specific "Vendor" "Product"???
Editing as I just re-read - am i to understand that regardless of how the profile Activate/Deactivate is set the protections will still come in as staging?? Maybe that is where I'm confused as I believe that these settings would modify the setting in the profile that was being modified.
Activate IPS protections according to the following additional properties - When selected, the categories configured on this page modify the profile’s IPS protections.
These categories will only filter out or add protections that comply with the activation mode thresholds (Confidence, Severity, Performance).
For example, if a protection is inactive because of its Performance rating, it will not be enabled even if its category is in Protections to activate.
--Juan
Hi, i'm bring back this topic on light to understand how the activate/deactivate on IPS additional properties is prioritised when tag overlaps. Could someone explain how this is going to behave ?
You brought up a good question that I didn't know the answer to, so I checked it in my lab.
It looks like ultimately "Protections to Deactivate" in an IPS-enabled profile will take absolute priority over "Protections to Activate". Example:
Protections to Activate: Tag Threat Year 2014
Protections to Deactivate: Tag Threat Year 2014
Result: All protections tagged with Threat Year 2014 are Inactive
---------
Protections to Activate: Tags Vendor Wordpress & Product Wordpress
Protections to Deactivate: Tag Threat Year 2014
Result: All protections tagged with Threat Year 2014 (including those tagged with Wordpress) are Inactive
Just remember for these additional activations/deactivations to have an effect, the protection must meet the Severity/Performance Impact/Confidence criteria first. So in other words if your IPS profile is set to only enable protections with a Performance Impact of "Medium or Lower", a tag placed under "Protections to Activate" matching an IPS protection with a Performance Impact rating of "High" will NOT forcibly enable that protection in this case.
Thank Timothy, it make sense when i'm reading and didn't think to try that check on random profil. Now i have to make the cooking recipe. Thank you Cheers
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY