Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ED
Advisor
Jump to solution

Move IPS profile rules to Threat Prevention layer

Hi,

 

The SMS was upgraded to R80.x version before the GW's and later the GW's were also upgraded to R80.x version. Before the GW's were upgraded we got two layers under Threat Prevention. I now wish to move the GW's with R80.x version to the Threat Prevention layer from the IPS layer. 

 

IPS layer: Optimized profile set to install on the selected GW. Under global exceptions: Anti-Virus and Anti-Bot blade set to inactive. Also some few exceptions. 

 

Threat Prevention layer: Optimized profile set to install on the policy targets (same GW). IPS blade set to inactive under Global exception.

 

How do I move it to the Threat Prevention layer?

Disable the rule on the IPS layer that contains the Optimzed profile. On the Threat Prevention layer disable that IPS blade is inactive. Move all the exceptions from globacl exception IPS layer over to the Threat Prevention layer. Does this sound the right way to do this?

 

 

 

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

More or less, yes.  What I would recommend is a two stage approach:

1) Note the IPS profile in use in the IPS layer rule for the particular gateway.  Delete the rule in the IPS layer.

2) In the main Threat Prevention policy layer, either edit the existing rule or create a new rule referencing that particular gateway for the IPS profile that was used in the IPS layer. Review any IPS settings/exceptions and make sure they are applied in the main TP layer.  Also consider that an R80.10 gateway can now have separate IPS profiles applied to different types of traffic unlike in R77.XX.  If you apply policy and have made a major mistake that severely impacts network traffic, keep in mind you can always execute ips off on the gateway until you figure out the fix.

Since you were using the same profile (Optimized) in both layers that move should be pretty straightforward.  Here are the notes describing the special IPS layer from my IPS Immersion class:

Click to Expand
• The IPS Threat Prevention policy layer shown above must be used to apply an IPS Profile to a R77.XX gateway. This special IPS layer and its restrictions reflects the limitations inherent in the R77.XX gateway code in regards to the IPS feature. Threat Prevention features other than IPS cannot be applied to a R77.XX gateway in this special IPS layer.

• This IPS layer will only exist if you have at least one R77.XX gateway in your configuration with IPS enabled; it will not exist on a new R80.10+ SMS with only R80.10+ gateways present. An R77.XX gateway can have only one IPS Profile assigned in a single rule.

• After upgrading a R77.30 gateway to R80.10+, the IPS Profile will still be applied to the gateway in the special IPS layer. While it can be left there indefinitely, it is strongly recommended once the gateway is upgraded to move the rule out of the special IPS layer into the main Threat Prevention policy layer. This will potentially permit use of a unified Profile for all five Threat Prevention blades, the extra granularity of the Protected Scope column, and allow different IPS Profiles to be applied to different types of traffic on the same gateway.

• Once all existing R77.XX gateways have been upgraded to R80.10+ and had their IPS Profile rules moved into the main TP policy layer, the special IPS layer will disappear.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

3 Replies
Timothy_Hall
Legend Legend
Legend

More or less, yes.  What I would recommend is a two stage approach:

1) Note the IPS profile in use in the IPS layer rule for the particular gateway.  Delete the rule in the IPS layer.

2) In the main Threat Prevention policy layer, either edit the existing rule or create a new rule referencing that particular gateway for the IPS profile that was used in the IPS layer. Review any IPS settings/exceptions and make sure they are applied in the main TP layer.  Also consider that an R80.10 gateway can now have separate IPS profiles applied to different types of traffic unlike in R77.XX.  If you apply policy and have made a major mistake that severely impacts network traffic, keep in mind you can always execute ips off on the gateway until you figure out the fix.

Since you were using the same profile (Optimized) in both layers that move should be pretty straightforward.  Here are the notes describing the special IPS layer from my IPS Immersion class:

Click to Expand
• The IPS Threat Prevention policy layer shown above must be used to apply an IPS Profile to a R77.XX gateway. This special IPS layer and its restrictions reflects the limitations inherent in the R77.XX gateway code in regards to the IPS feature. Threat Prevention features other than IPS cannot be applied to a R77.XX gateway in this special IPS layer.

• This IPS layer will only exist if you have at least one R77.XX gateway in your configuration with IPS enabled; it will not exist on a new R80.10+ SMS with only R80.10+ gateways present. An R77.XX gateway can have only one IPS Profile assigned in a single rule.

• After upgrading a R77.30 gateway to R80.10+, the IPS Profile will still be applied to the gateway in the special IPS layer. While it can be left there indefinitely, it is strongly recommended once the gateway is upgraded to move the rule out of the special IPS layer into the main Threat Prevention policy layer. This will potentially permit use of a unified Profile for all five Threat Prevention blades, the extra granularity of the Protected Scope column, and allow different IPS Profiles to be applied to different types of traffic on the same gateway.

• Once all existing R77.XX gateways have been upgraded to R80.10+ and had their IPS Profile rules moved into the main TP policy layer, the special IPS layer will disappear.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
ED
Advisor

Thanks Timothy, I was hoping you would catch this question.

Having the option to have separate IPS profiles applied to different types of traffic on R80.x gateways is interesting. Specially if you have a well segmented network. 

For instance if you have client machines on differents subnets and have a security zone (CLIENTS_ZONE) that contains all these subnets. Then you create a new IPS profile called IPS_CLIENTS_PROFILE where you choose under additional activation to activate protections that are products belonging to Microsoft and a few others. They would be activated no matter what your profile says. Is there a easy way to deactivate everything else? Then you would create a new rule under Threat Prevention layer which would have a protected scope of CLIENTS_ZONE and assign the profile IPS_CLIENTS_PROFILE. Could you then just "forget" about maintaining the IPS protections for this profile?

You could do this for other security zones too, forexample containing web servers with an another IPS profile. In the end you would end up with many IPS profiles. Would you recommend this? What is your best tips to organize IPS profiles with the new options in R80.x gateways in a segmented network where also security zones are used?

Timothy_Hall
Legend Legend
Legend

The easiest way to deactivate large numbers of signatures is by using tags in R80+ management and later.  You can explicitly activate all signatures tagged with a certain vendor or product then deactivate everything else.  I've attached a screenshot from my IPS Immersion course showing where that screen is located.  IPS activation/deactivation tags will work with R77.XX gateways as well.

In R80.20+ management/gateway you could definitely "forget" about updating a profile as the gateway can automatically download and activate Protections matching your tagged (or other) criteria.

In regards to best practices for using multiple IPS Profiles on a single gateway/cluster, I tend to look at it from a gateway performance perspective, but I'm probably a bit biased in my view.  🙂  Example:

Protected Scope: DMZ_Group      IPS Profile: Strict (or some customized clone thereof)

Protected Scope:    Sensitive_Networks_Group    IPS Profile: Optimized (or some customized clone thereof)

Protected Scope: All_Internal_Networks_Group       IPS Profile: Basic (or some very relaxed clone thereof)

Since trouble is most likely to start in a DMZ I'd want max enforcement there, even for vendors/products not in use in the network.  Needless to say picking up a bunch of attempted attacks from inside the DMZ against vendors/products you don't even have is a sure sign of compromise.  For sensitive internal networks, this traffic will tend to be high-speed LAN traffic so we'd want a medium amount of inspection.  For everything else perhaps a bit more relaxed (Basic) but still picking up anything flagrantly indicating signs of compromise.

tags.jpg

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events