This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Champion Champion
Champion
‎2021-08-23 10:00 AM

IPS vs. Anti-virus/Anti-bot Log Suppression

So Threat Prevention suppresses logs of substantially similar attacks that are run over and over to avoid overwhelming the logs.  For the IPS blade logs the suppression interval is 2 minutes as specified here:

sk108423: IPS generates Alerts instead of Logs

However the SK below states that the suppression interval for all Threat Prevention logs (which I'm assuming is including IPS) is 600 minutes (10 hours):

sk115876: Some fields are missing from IPS or Threat Prevention logs

So which is it?  My guess is that the 2 minute suppression period for IPS was true for R77.30 and earlier, but when IPS was rolled up into the rest of Threat Prevention in R80.10 it inherited the 10 hour suppression period?  I suppose I could set this up in my lab and try it but I thought it would be faster just to ask.

Because this will probably have be answered by R&D paging @PhoneBoy 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-08-23 01:47 PM

Your answer is at the bottom of sk108423:

R80.x IPS is part of Threat Prevention policy and is using the Threat Prevention log suppression, disregarding asm_excsv_log_flags. 
However, it still exist and is used in few low-level packet-sanity static protections.

Which means it should, for the most part, follow the Threat Prevention settings.
You can disable/modify the suppression as described in sk115876.

0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2021-08-23 04:39 PM
In response to PhoneBoy

Right I saw that but when they say "low level packet sanity static protections" in the SK are they talking about the Inspection Settings in the Access Control policy that used to be a part of IPS in R77.30? 

So in other words do the Inspection Settings use the old IPS 2-minute suppression, all other TP blades use the 10-hour suppression, and the logs for the oddball 39 Core Activations/Protections are never suppressed?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-23 05:21 PM
In response to Timothy_Hall

That all sounds correct to me.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events