Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor

What are IPS Staging Protections? And how do we clear them?

In R80, following an IPS Update, newly downloaded protections are marked in "staging". This means that if their state according to the profile is Prevent or Detect, as long as the user doesn't clear the flag, it's marked as "Detect (staging)" with a little clock icon on top of it. Protections that should be inactive remain inactive.

The plan is that you can keep them in staging until you decide whether they should behave according the profile's settings, or override them with a different action, for example based on traffic after policy installation.

From the IPS Protections view, you can filter protections to only show the ones that are in Staging.

staging.png

You can control this setting from the Profile Editor:

profile-staging.png

Clearing protections from Staging can be done from the IPS Protections view.

Please note that in order to change the staging counter, you have to clear a protection from staging in all IPS profiles, not just the ones that are seen on the screen. So either change the visible profiles to “all”:

show-all-profiles.png

or make sure you clear the staging status from all profiles by right-clicking the protection and selecting “restore to profile settings”.

restore-to-profile-settings.png

13 Replies
Brian_Deutmeyer
Collaborator

It appears the Clear staging option is grayed out and cannot be selected.  How do I clear the staging without doing the restore to profile option?

0 Kudos
Tomer_Sole
Mentor
Mentor

I apologize for not seeing this sooner. 

I'm not sure what you mean, clearing the staging de facto restores the activation to the profile's setting... Is there something else that you wish to do there?

0 Kudos
Vladimir
Champion
Champion

Tomer,

I do not see any protections in "Detect" or "Staging" status on any protections in the profile cloned from "Optimized", after updates are downloaded :

Even with "Additional Activation" enabled, I still expect to see the low confidence in "Detect" if not "Staging"

But there are none in those states present. When filtered by "Low Confidence", all protections are disabled.

I am also not seeing filters for "Activation Status" even when it is selected:

 

Any ideas?

0 Kudos
Tomer_Sole
Mentor
Mentor

Is the profile being used by the policy? Or is it hidden from the view since it's not in use?

Vladimir
Champion
Champion

This is the active profile used in the Policy:

0 Kudos
Tomer_Sole
Mentor
Mentor

this shouldn't happen.... please open a support ticket so that we will have an R&D team looking at the issue.

0 Kudos
Vladimir
Champion
Champion

Opened 3-0371393181. 

If you could help facilitating its resolution, I'll be much obliged.

So far, no dice. To make things even more interesting, I've just pulled the IPS update on my second Management server in a separate infrastructure and am looking at identical situation.

 

Unless I am exceptionally lucky, I suspect that something is changed in the way updates are behaving.

To summarize:

1. When multiple profiles, including three stock profiles are filtered to show a "low confidence" protections, only "Strict" has them in "Detect" or "Staging" modes:

2. There are no traces in the Audit Log that would indicate any changes to the behavior of the protections prior to the update that borked them:

The stock profiles were untouched and the only profile that was subjected to any kind of manipulation was the clone of the "Optimized with TE and TX removed:

The breakdown of the "Optimized_wo-TE_TX":

Does not show anything that could cause it behave the way it does.

Same goes for the original "Optimized" and "Basic".

The update that triggered this behavior is 635183954 on one of the management servers prepped for deployment:

And the same update caused same issues in another POC environment:

"Switch to version" earlier than 63513954, after application of that update, does not revert protections in "Basic", "Optimized" and clone of "Optimized" to "Detect" mode.

"Profile cleanup" with "Remove all user modified" does not revert it to normal state as well.

 

Has anyone seen similar behavior before or are seeing it now?

Thank you,

Vladimir

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi,

The reason why those are in Inactive is due to the tag "Threat Prevalence:Rare". All protections with Confidence:Low are tagged with "Threat Prevalence:Rare". The 2 profiles that you mentioned have "Threat Prevalence:Rare" in the Protections To Deactivate section.

I want to thank Raz Shlomo for explaining. Let's continue discussing these questions over this thread.

0 Kudos
Tomer_Sole
Mentor
Mentor

There is something I didn't mention.

The protections that are received the first IPS Update in every Management Domain, you know, when you jump from the initial 200 to the 9k protections, are not marked in Detect(Staging). This mechanism also works from the 2nd update and on. The purpose was to spare the need to clean the staging status from the 9k-200 protections that you download initially.

Vladimir
Champion
Champion

Thanks Tomer Sole Sole and Raz Shlomo for expanding on explanation for the protections behavior.

The problem that I have with this, is that there is not a single protection left with "Detect" in the "Optimized" and "Basic" after above mention update irrespective of the confidence level.

The "Low Confidence" was selected for simplicity and because in the profile definition, it is explicitly states that "Low Confidence" should be in "Detect" mode.

I understand their absence from "Detect(Staging)", but after first update, the only modes displayed are "Disabled" and "Protect".

TAC was able to verify my findings and are reaching out to R&D for information about this behavior.

0 Kudos
Tomer_Sole
Mentor
Mentor

On your second IPS Update and so on, newly downloaded protections will be in Detect(Staging) even if according to the profile they should be in Prevent.

I understand your point regarding the confusion at Low Confidence. 

0 Kudos
Vladimir
Champion
Champion

New protections in the second and onward updates are in the Detect(Staging), but there are no protections after the first update in "Detect" only mode, regardless of the confidence level, except in the "Strict" profile.

0 Kudos
Tomer_Sole
Mentor
Mentor

Looking at your profile settings:

Things are only in Detect if:

- the protection is newly-downloaded AND the IPS Update is not the first one

- Confidence Level is Low AND not tagged with the excluded tags Threat Prevalence:Rare or Threat Prevalence:Obsolete  --> which currently means no protection since all low-confidence protections are auto-tagged with Threat Prevalence:Rare.

This is good feedback though and we will consider giving more cues in the user interface regarding "final action". 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events