This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Elias
Contributor
‎2023-11-16 10:23 AM
Jump to solution

Sweep Scan preventing

Hello, I have a question, currently we se sweep scan logs, we have  already configured the Host port Scan but it appears in Detect mode, it there a way to verify that it is actually blocking or is it normal that the logs show it in Detect mode and not Prevent mode ?

 

 

Preview file
21 KB
0 Kudos
2 Solutions

Accepted Solutions
JoSec
Collaborator
‎2023-11-22 07:14 AM
In response to Elias
Jump to solution

If you have Smartevent, utilizing a response for external IP Sweeps to block the source IP address for a time you determine works great.  I would advise the first time you do enable the feature in Smartevent, enable a response with an email to you so you can see the volume and make sure you would not block legitimate sources.  Using Playblocks, in the portal.checkpoint.com, they have some automations for blocking that maybe what you are looking for if you do not have Smartevent. Obviously, you would need a license for Smartevent or Playblocks.

View solution in original post

0 Kudos
(1)
Tal_Paz-Fridman
Employee
Employee
‎2023-11-22 01:00 PM
Jump to solution

We are examining how to add this as a new automation to Horizon Playblocks.

It already includes automations to block attacks and scans such as:

Block common scanner identified by IPS
 
The automation blocks scanners across the organization and is triggered by scans that are detected by IPS with very high confidence. The block can be automatic, or upon admin's approval. The notification includes information on the scan and the scanner. More parameters can be set using the automation parameters such as the block duration, whether the block is automatic or upon admins' approval, and more.
 

https://www.checkpoint.com/horizon/playblocks/

 

View solution in original post

0 Kudos
(1)
6 Replies
JoSec
Collaborator
‎2023-11-16 12:05 PM
Jump to solution

The URL below, indicates the signature will only alert to the activity but not block. You can utilize Smartevent which will use SAM rules to block an IP address for configurable amount of time for IP Sweeps, port scans and other detections. 

https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8...

the_rock
Legend
Legend
‎2023-11-16 12:48 PM
In response to JoSec
Jump to solution

Makes sense, as it does not give option to block it from IPS protection itself in smart console.

Andy

0 Kudos
Elias
Contributor
‎2023-11-22 06:59 AM
In response to JoSec
Jump to solution

So what can I do to block this type of scanning ?? 

 

0 Kudos
the_rock
Legend
Legend
‎2023-11-22 07:03 AM
In response to Elias
Jump to solution

Maybe better to open TAC support case to get an official answer.

Regards,

Andy

0 Kudos
JoSec
Collaborator
‎2023-11-22 07:14 AM
In response to Elias
Jump to solution

If you have Smartevent, utilizing a response for external IP Sweeps to block the source IP address for a time you determine works great.  I would advise the first time you do enable the feature in Smartevent, enable a response with an email to you so you can see the volume and make sure you would not block legitimate sources.  Using Playblocks, in the portal.checkpoint.com, they have some automations for blocking that maybe what you are looking for if you do not have Smartevent. Obviously, you would need a license for Smartevent or Playblocks.

0 Kudos
(1)
Tal_Paz-Fridman
Employee
Employee
‎2023-11-22 01:00 PM
Jump to solution

We are examining how to add this as a new automation to Horizon Playblocks.

It already includes automations to block attacks and scans such as:

Block common scanner identified by IPS
 
The automation blocks scanners across the organization and is triggered by scans that are detected by IPS with very high confidence. The block can be automatic, or upon admin's approval. The notification includes information on the scan and the scanner. More parameters can be set using the automation parameters such as the block duration, whether the block is automatic or upon admins' approval, and more.
 

https://www.checkpoint.com/horizon/playblocks/

 

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events