Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor
Jump to solution

Where did all my IPS Protections go?

IPS in SmartDashboard R7x had its protections organized:

  • By type:
    • Signatures
    • Protocol anomalies
    • Application controls
    • Engine settings
  • By protocol
    • Network security
    • Application intelligence
    • Web intelligence

 

In SmartConsole R80 and R80.10, I cannot find some of these protections. Did they get deleted?

2 Solutions

Accepted Solutions
Tomer_Sole
Mentor
Mentor

None of the protections got deleted unless the IPS engine has updated some of them as obsolete over time.

One of the concepts for R80 security management and security gateway is the separation between Access Control and Threat Prevention. We realized that those are different needs, and therefore, they are split in the user interface, as well as during policy installation - see What is the roadmap for Threat Prevention Policy management? .

 

R7x term

R8x term

Icon

R80.10 gateways: Install policy of type

Explanation

Categorization by protocols

IPS Tags

 

Threat Prevention

The categorization of protections in R80 has changed. Instead of the R77 structure, every IPS protection has tags. Tags can be either for the protocol, the operating system, the application, and more. This gives a more dynamic organization structure. Also, the user can automatically disable or enable the enforcement of protections per tags - see How does R80 assist in saving time handling activation of IPS protections? 

IPS by type: signatures / protocol anomalies

Type: Threat Cloud

 

Threat Prevention

Over 7000 different protections which compose the vast majority of IPS Protections.

IPS by type: signatures / protocol anomalies

Type: Core

 

Access Control

39 "IPS Core" protections. Examples are "LDAP Injection", "Max Ping Size" and more. From technical reasons, they are still installed as part of "Access Control" even with R80.10 gateways.

IPS by type: Engine Settings

Type: Inspection Settings

 

Access Control

About 150 protections were traditionally called "IPS Protections", but in fact they are firewall behaviors. Some of them impact other access control engines. Examples are "non-compliant HTTP", "Aggressive Aging" and more.

Searching for these protections in the IPS Protections page gives you a link to open them under Inspection Settings.

Geo Protection

Geo Policy

 

Access Control

Because their behavior is to allow/block access by countries, changes will be enforced by selecting to install "Access Control" policy.

A reminder of separation by type during policy installation in R80.10:

Hope this helps

View solution in original post

Tomer_Sole
Mentor
Mentor

Bob Bent wrote:

Good info. One question: can the 39 "IPS Core" protections be seen in SmartConsole?

thx,

bob

Both of them are found at the IPS Protections page. You can differentiate by their icon and the activation options per profile. You can also filter by their type:

View solution in original post

22 Replies
Tomer_Sole
Mentor
Mentor

None of the protections got deleted unless the IPS engine has updated some of them as obsolete over time.

One of the concepts for R80 security management and security gateway is the separation between Access Control and Threat Prevention. We realized that those are different needs, and therefore, they are split in the user interface, as well as during policy installation - see What is the roadmap for Threat Prevention Policy management? .

 

R7x term

R8x term

Icon

R80.10 gateways: Install policy of type

Explanation

Categorization by protocols

IPS Tags

 

Threat Prevention

The categorization of protections in R80 has changed. Instead of the R77 structure, every IPS protection has tags. Tags can be either for the protocol, the operating system, the application, and more. This gives a more dynamic organization structure. Also, the user can automatically disable or enable the enforcement of protections per tags - see How does R80 assist in saving time handling activation of IPS protections? 

IPS by type: signatures / protocol anomalies

Type: Threat Cloud

 

Threat Prevention

Over 7000 different protections which compose the vast majority of IPS Protections.

IPS by type: signatures / protocol anomalies

Type: Core

 

Access Control

39 "IPS Core" protections. Examples are "LDAP Injection", "Max Ping Size" and more. From technical reasons, they are still installed as part of "Access Control" even with R80.10 gateways.

IPS by type: Engine Settings

Type: Inspection Settings

 

Access Control

About 150 protections were traditionally called "IPS Protections", but in fact they are firewall behaviors. Some of them impact other access control engines. Examples are "non-compliant HTTP", "Aggressive Aging" and more.

Searching for these protections in the IPS Protections page gives you a link to open them under Inspection Settings.

Geo Protection

Geo Policy

 

Access Control

Because their behavior is to allow/block access by countries, changes will be enforced by selecting to install "Access Control" policy.

A reminder of separation by type during policy installation in R80.10:

Hope this helps

DeletedUser
Not applicable

Good info. One question: can the 39 "IPS Core" protections be seen in SmartConsole?

thx,

bob

Tomer_Sole
Mentor
Mentor

Bob Bent wrote:

Good info. One question: can the 39 "IPS Core" protections be seen in SmartConsole?

thx,

bob

Both of them are found at the IPS Protections page. You can differentiate by their icon and the activation options per profile. You can also filter by their type:

Slobodan_Milidr
Explorer

Is it possible to create an exception for the ''IPS Core'' protection ?

Dor_Marcovitch
Advisor

Yes on R80.10 its under the Manage and Settings look for the IPS blade there you should have a global exception button 

Eric_Merillat
Contributor

Is it possible to create an exception for the Core Protections for specific Source/Destination Addresses like you can with the IPS protections?

 

IE - I have my scanning servers that I want to bypass the core protections for, but still leave them enabled for everything else.

0 Kudos
Timothy_Hall
Champion
Champion

Yes, if you have an R80.10+ gateway.  Go to any one of the 39 Core Protections under IPS Protections, then go to its Exceptions screen.  Add a new exception and select "Any" for the Protection Name which will include all 39 Core Protections.  Note that you'll need to create two exceptions, one with the Source of the network that you want to exclude, and a second one with a Destination of the network you want to exclude since there is no "Protected Scope" setting available.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Eric_Merillat
Contributor
Carlos_Jara
Contributor

Many thank's

Bruno_Petronio
Contributor

That's a great help Tomer !

I just have need some clarification in terms of licensing.

 

From what i see in my gw only inspection settings and Geo Policy are visible to be configured without enabling IPS Blade.

I was expecting that every policy installed on Access Control "layer" was not need to be IPS blade enabled, but it seems its not the case.

Can i assume that IPS Blade is only needed to Core Activation and Threat Cloud Protections ?

 

 

Another remark,  for the documentation guys, that could lead people to some wrong conclusions.

Document "SmartConsole R80.10 Help", under "Understanding Geo Policy", is explicit like this :


Requires a valid IPS contract and a Software Blade license for each Security Gateway that enforces Geo Protection, and for the Security Management Server.

 

Thanks in advance for your time !

 

Timothy_Hall
Champion
Champion

Correct, Inspection Settings and Geo Policy are part of the Access Control policy and do not require an IPS blade license or even for IPS to be enabled.

Core Activations are a bit more complicated because they are technically part of the Access Control policy, yet are managed from the Threat Prevention policy with a profile.  I call this "no man's land" in my IPS Immersion Course.  I'm pretty sure Core Activations will still be enforced even without IPS since any changes to Core Activations are made effective by installing the Access Control policy, not the Threat Prevention policy.

I believe the IPS blade is just for the ThreatCloud-based protections.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Bruno_Petronio
Contributor

I'm pretty sure Core Activations will still be enforced even without IPS since any changes to Core Activations are made effective by installing the Access Control policy, not the Threat Prevention policy.

Saying that, the only way we can change Core Activations settings is if we create a TP Policy even if we don't enable IPS blade.

Otherwise, i don't see a way do it since its the only way to configure them, afaik... Make sense ?

I wanted to confirm this, and i was trying to filter the different types of "protections" in my logs.... Should i filter by Blade:IPS for all the 4 types ?

 

Thanks in advance for your time !

0 Kudos
Timothy_Hall
Champion
Champion

For an R80.10+ gateway:

  • Inspection Settings are logged under "blade:firewall", but the Protection Type is IPS
  • Geo Policy is also logged under "blade:firewall", but the Protection Type is "Geo Policy"
  • Core Activations are logged under "blade:ips"
  • IPS ThreatCloud Protections are logged under "blade:ips"

Core Activations are managed with a profile, but it is not really part of the TP policy and there is only one Core Activations profile allowed per firewall, kind of like how only one IPS profile could be assigned to a gateway in R77.30 and earlier.  Core Activations have definitely been an area that has caused confusion which extends into performance optimization; as a result there is much more coverage of "IPS Basics" in the third edition of my book (including Core Activations) to provide the proper foundation to make tuning decisions.  Here are a few excerpts covering Core Activations from the third edition of Max Power 2020:

 

Click to Expand

Core Activations (39 total) exist in a kind of “no–man’s land” between ThreatCloud Protections and Inspection Settings for technical reasons. They typically enforce protocol standards via a protocol parser. Core Activations are assigned to a firewall using a separate profile, that is NOT applied to a firewall in the TP/IPS policy layers. They have the following attributes:


• Instead of the typical Inactive/Prevent/Detect options for each Core Activation, “See Details...” appears instead
• Exceptions can only be added for a single Core Activation signature at a time, and the main Threat Prevention Global & Custom Exceptions DO NOT apply
• Core Activations ship with the product and are not modified or augmented by updates from the Check Point ThreatCloud
• Under R80+ management, if configuration changes are made to existing Core Activations, they can be made active on the gateway by:


◦ R77.XX gateway: Install the Access Control Policy
◦ R80.10+ gateway: Install the Access Control Policy (NOT Threat Prevention)


• Core Activations have a “shield with firewall” icon to designate their special status and will typically have an “Advanced” screen available where the Activation can be further tuned or adjusted.

For Core Activations, in the IPS Protections window portion of the Threat Prevention policy, search for the protection “Sweep Scan”, double-click the Sweep Scan protection then select Gateways:

ips_core.png

There is one (and only one) profile for the 39 Core Protections assigned here, make a note of it; be aware that this profile name may well be different from the one(s) in your TP policy layer!

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Stefano_Cappell
Participant

Thanks, it is very useful.

One question: in the IPS gateway properties, if we select "Detect only" as Activation Mode, it applies to Threat Cloud Type only or to all IPS Type (Threat Cloud, Core and Inspection Settings)?

Thanks!

Stefano

0 Kudos
Djelo_Arnautali
Participant

How to stop port scan "attack" using the IPS Core protection Host port Scan protection? The only available action for this protection is Accept or Inactive.

0 Kudos
Tomer_Sole
Mentor
Mentor

Accept means that the core protection is activated.

Gaurav_Pandya
Advisor

Hi,

Where i can find signature by protocol type like TCP flooding, Sync defender, TCP sequence verify etc. I did not find it in R80.20 IPS console.

Timothy_Hall
Champion
Champion

Those protections are now part of the Access Control policy (not Threat Prevention) under Inspection Settings.  See this thread:

https://community.checkpoint.com/t5/Policy-Management/R80-Inspection-settings/m-p/50787

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Gaurav_Pandya
Advisor

Thanks Tim.

I found it under inspection setting.

the_rock
Legend
Legend

Hey Tomer,

 

Any idea if you can search for IPS protections by name in R80.x? I tried adding a filter, but dont see an option for that...I know in R77.x you could definitely do so 🙂

 

Andy

0 Kudos
Ben_Losinger
Participant

nice😎

0 Kudos
Rudi
Participant

👍

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events