Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Elias
Contributor
Jump to solution

Sweep Scan preventing

Hello, I have a question, currently we se sweep scan logs, we have  already configured the Host port Scan but it appears in Detect mode, it there a way to verify that it is actually blocking or is it normal that the logs show it in Detect mode and not Prevent mode ?

 

 

0 Kudos
2 Solutions

Accepted Solutions
JoSec
Collaborator

If you have Smartevent, utilizing a response for external IP Sweeps to block the source IP address for a time you determine works great.  I would advise the first time you do enable the feature in Smartevent, enable a response with an email to you so you can see the volume and make sure you would not block legitimate sources.  Using Playblocks, in the portal.checkpoint.com, they have some automations for blocking that maybe what you are looking for if you do not have Smartevent. Obviously, you would need a license for Smartevent or Playblocks.

View solution in original post

0 Kudos
(1)
Tal_Paz-Fridman
Employee
Employee

We are examining how to add this as a new automation to Horizon Playblocks.

It already includes automations to block attacks and scans such as:

Block common scanner identified by IPS
 
The automation blocks scanners across the organization and is triggered by scans that are detected by IPS with very high confidence. The block can be automatic, or upon admin's approval. The notification includes information on the scan and the scanner. More parameters can be set using the automation parameters such as the block duration, whether the block is automatic or upon admins' approval, and more.
 

https://www.checkpoint.com/horizon/playblocks/

 

View solution in original post

0 Kudos
(1)
6 Replies
JoSec
Collaborator

The URL below, indicates the signature will only alert to the activity but not block. You can utilize Smartevent which will use SAM rules to block an IP address for configurable amount of time for IP Sweeps, port scans and other detections. 

https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8...

the_rock
Legend
Legend

Makes sense, as it does not give option to block it from IPS protection itself in smart console.

Andy

0 Kudos
Elias
Contributor

So what can I do to block this type of scanning ?? 

 

0 Kudos
the_rock
Legend
Legend

Maybe better to open TAC support case to get an official answer.

Regards,

Andy

0 Kudos
JoSec
Collaborator

If you have Smartevent, utilizing a response for external IP Sweeps to block the source IP address for a time you determine works great.  I would advise the first time you do enable the feature in Smartevent, enable a response with an email to you so you can see the volume and make sure you would not block legitimate sources.  Using Playblocks, in the portal.checkpoint.com, they have some automations for blocking that maybe what you are looking for if you do not have Smartevent. Obviously, you would need a license for Smartevent or Playblocks.

0 Kudos
(1)
Tal_Paz-Fridman
Employee
Employee

We are examining how to add this as a new automation to Horizon Playblocks.

It already includes automations to block attacks and scans such as:

Block common scanner identified by IPS
 
The automation blocks scanners across the organization and is triggered by scans that are detected by IPS with very high confidence. The block can be automatic, or upon admin's approval. The notification includes information on the scan and the scanner. More parameters can be set using the automation parameters such as the block duration, whether the block is automatic or upon admins' approval, and more.
 

https://www.checkpoint.com/horizon/playblocks/

 

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events