cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Where did all my IPS Protections go?

Jump to solution

IPS in SmartDashboard R7x had its protections organized:

  • By type:
    • Signatures
    • Protocol anomalies
    • Application controls
    • Engine settings
  • By protocol
    • Network security
    • Application intelligence
    • Web intelligence

 

In SmartConsole R80 and R80.10, I cannot find some of these protections. Did they get deleted?

2 Solutions

Accepted Solutions
Highlighted

Re: Where did all my IPS Protections go?

Jump to solution

None of the protections got deleted unless the IPS engine has updated some of them as obsolete over time.

One of the concepts for R80 security management and security gateway is the separation between Access Control and Threat Prevention. We realized that those are different needs, and therefore, they are split in the user interface, as well as during policy installation - see What is the roadmap for Threat Prevention Policy management? .

 

R7x term

R8x term

Icon

R80.10 gateways: Install policy of type

Explanation

Categorization by protocols

IPS Tags

 

Threat Prevention

The categorization of protections in R80 has changed. Instead of the R77 structure, every IPS protection has tags. Tags can be either for the protocol, the operating system, the application, and more. This gives a more dynamic organization structure. Also, the user can automatically disable or enable the enforcement of protections per tags - see How does R80 assist in saving time handling activation of IPS protections? 

IPS by type: signatures / protocol anomalies

Type: Threat Cloud

 

Threat Prevention

Over 7000 different protections which compose the vast majority of IPS Protections.

IPS by type: signatures / protocol anomalies

Type: Core

 

Access Control

39 "IPS Core" protections. Examples are "LDAP Injection", "Max Ping Size" and more. From technical reasons, they are still installed as part of "Access Control" even with R80.10 gateways.

IPS by type: Engine Settings

Type: Inspection Settings

 

Access Control

About 150 protections were traditionally called "IPS Protections", but in fact they are firewall behaviors. Some of them impact other access control engines. Examples are "non-compliant HTTP", "Aggressive Aging" and more.

Searching for these protections in the IPS Protections page gives you a link to open them under Inspection Settings.

Geo Protection

Geo Policy

 

Access Control

Because their behavior is to allow/block access by countries, changes will be enforced by selecting to install "Access Control" policy.

A reminder of separation by type during policy installation in R80.10:

Hope this helps

Re: Where did all my IPS Protections go?

Jump to solution

Bob Bent wrote:

Good info. One question: can the 39 "IPS Core" protections be seen in SmartConsole?

thx,

bob

Both of them are found at the IPS Protections page. You can differentiate by their icon and the activation options per profile. You can also filter by their type:

11 Replies
Highlighted

Re: Where did all my IPS Protections go?

Jump to solution

None of the protections got deleted unless the IPS engine has updated some of them as obsolete over time.

One of the concepts for R80 security management and security gateway is the separation between Access Control and Threat Prevention. We realized that those are different needs, and therefore, they are split in the user interface, as well as during policy installation - see What is the roadmap for Threat Prevention Policy management? .

 

R7x term

R8x term

Icon

R80.10 gateways: Install policy of type

Explanation

Categorization by protocols

IPS Tags

 

Threat Prevention

The categorization of protections in R80 has changed. Instead of the R77 structure, every IPS protection has tags. Tags can be either for the protocol, the operating system, the application, and more. This gives a more dynamic organization structure. Also, the user can automatically disable or enable the enforcement of protections per tags - see How does R80 assist in saving time handling activation of IPS protections? 

IPS by type: signatures / protocol anomalies

Type: Threat Cloud

 

Threat Prevention

Over 7000 different protections which compose the vast majority of IPS Protections.

IPS by type: signatures / protocol anomalies

Type: Core

 

Access Control

39 "IPS Core" protections. Examples are "LDAP Injection", "Max Ping Size" and more. From technical reasons, they are still installed as part of "Access Control" even with R80.10 gateways.

IPS by type: Engine Settings

Type: Inspection Settings

 

Access Control

About 150 protections were traditionally called "IPS Protections", but in fact they are firewall behaviors. Some of them impact other access control engines. Examples are "non-compliant HTTP", "Aggressive Aging" and more.

Searching for these protections in the IPS Protections page gives you a link to open them under Inspection Settings.

Geo Protection

Geo Policy

 

Access Control

Because their behavior is to allow/block access by countries, changes will be enforced by selecting to install "Access Control" policy.

A reminder of separation by type during policy installation in R80.10:

Hope this helps

Re: Where did all my IPS Protections go?

Jump to solution

Good info. One question: can the 39 "IPS Core" protections be seen in SmartConsole?

thx,

bob

0 Kudos

Re: Where did all my IPS Protections go?

Jump to solution

Bob Bent wrote:

Good info. One question: can the 39 "IPS Core" protections be seen in SmartConsole?

thx,

bob

Both of them are found at the IPS Protections page. You can differentiate by their icon and the activation options per profile. You can also filter by their type:

Re: Where did all my IPS Protections go?

Jump to solution

Is it possible to create an exception for the ''IPS Core'' protection ?

Re: Where did all my IPS Protections go?

Jump to solution

Yes on R80.10 its under the Manage and Settings look for the IPS blade there you should have a global exception button 

0 Kudos
Carlos_Jara
Nickel

Re: Where did all my IPS Protections go?

Jump to solution

Many thank's

Re: Where did all my IPS Protections go?

Jump to solution

How to stop port scan "attack" using the IPS Core protection Host port Scan protection? The only available action for this protection is Accept or Inactive.

0 Kudos

Re: Where did all my IPS Protections go?

Jump to solution

Accept means that the core protection is activated.

Re: Where did all my IPS Protections go?

Jump to solution

Hi,

Where i can find signature by protocol type like TCP flooding, Sync defender, TCP sequence verify etc. I did not find it in R80.20 IPS console.

Re: Where did all my IPS Protections go?

Jump to solution

Those protections are now part of the Access Control policy (not Threat Prevention) under Inspection Settings.  See this thread:

https://community.checkpoint.com/t5/Policy-Management/R80-Inspection-settings/m-p/50787

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Where did all my IPS Protections go?

Jump to solution

Thanks Tim.

I found it under inspection setting.