Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

IPS best practice

I am interested in how people use IPS in R80.10.  In R77.30 we would go through the flagged list then set the relevant protections to detect for 7 days – we would then clear down the flags for the ones we do not set.  We would then review the logs to make sure there is no impact to legitimate site traffic (we have a customer facing SAAS platform) then we would set the flagged detects to protect and push policy.  We would then repeat the cycle over a two week period. 

In R80.10 I am thinking I would need to do the following to emulate this:-

  1. Set activation mode to Detect on high and medium confidence
  2. Set Activate IPS protections according to the following additional properties and select the vendors we want.
  3. Set newly update protections to activation detect in Staging
  4. Download the IPS update and push policy
  5. Review the logs filtered to staging protections after 7 days
  6. Set any that are affecting legitimate traffic to inactive (or add an exception)
  7. Set the rest to Prevent and push policy.

Repeat steps 4 -7

What do other people do? 

Thanks

Jon

Tags (1)
5 Replies
Highlighted

Hi, in a few days we will publish an "IPS Best Practices in R80.10".

This document is a recommendation, of course any customer can do what he prefers. The document is in its final stages of review.

Regardless of the Check Point document, we are always interested to hear you guys' processes. 

Highlighted
Contributor

hi tomer,

any news on this document ?

0 Kudos
Highlighted

delayed by a couple of days unfortunately.. we will update here.

in the meantime your thoughts on Jon's notes?

Highlighted
Employee
Employee

Any word on an update for the guide? Thanks!

Highlighted

Apologize for the delays, please follow this thread - https://community.checkpoint.com/message/13840-r8010-ips-best-practices-guide