This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-12-13 01:25 PM

Blades AntiBot and AntiVirus.

Hello,

Is it "necessary and mandatory" that the "Activation Mode" option in the global properties of my Cluster object, is set to "According to Policy", so that the explicit rules that are configured in the "Threat Prevention" section, have effect?

TP1.png

If the "Activation Mode" is set to "Detect Mode", the Firewall/Cluster ignores the explicit policies that are configured?

Thanks for your comments.

0 Kudos
17 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-12-13 01:47 PM

If you want traffic to be 'Prevented' according to policy is the correct choice.

According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Virus Software Blade and use the Anti-Virus settings of the Threat Prevention profile in the Threat Prevention policy.

Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor
‎2023-12-13 02:08 PM
In response to Chris_Atkinson

Hello,

I have a legacy architecture, and I found the option of "Activation Mode" in my Cluster object, selected in "Detect only" mode, but at the same time, I have explicit rules configured in the Threat Prevention, but I see that the Cluster, is not "obeying" the explicit rules that are configured in PREVENT mode, but it is allowing the traffic, since the logs, show the action of "DETECT".

I get the impression that the Activation Mode has priority over the explicit rules.

Is this correct?

0 Kudos
the_rock
Legend
Legend
‎2023-12-13 02:16 PM

Hey bro,

Detect only means exactly what it says, it will simply detect and not block or prevent. Personally, I always recommend to customers when they are doing PoC or had just installed CP to leave this for week or two, just to make sure its working as expected. Once environment is fully live, then switch to according to policy. Default TP profile is optimized anyway, so thats essentially what you get "out of the box", but you can customize it any way you want.

You get literally the same thing with Fortinet or Palo Alto.

Andy

0 Kudos
Matlu
Advisor
‎2023-12-13 03:12 PM
In response to the_rock

Buddy

I understand your explanation, but what I want to confirm is,
As my Cluster is now, in the configuration "Activation Mode -> Detect Only", even if we create several explicit rules in the Threat Prevention, these are not going to "work" correctly, until I change the "Activation Mode" to "According to Policy", right?

Thanks.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-13 03:18 PM
In response to Matlu

Help me to understand your confusion, what type of policy have you configured that you are expecting to perform differently than described above?

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor
‎2023-12-13 04:28 PM
In response to Chris_Atkinson

I have a certain type of traffic that is being "allowed" and really, it shouldn't be allowed.

So here comes my confusion.
Since the log indicates that it is doing MATCH with my explicit rule in the Threat Prevention.

TP3.pngTP2.png

Or maybe I'm misunderstanding the flow?

0 Kudos
the_rock
Legend
Legend
‎2023-12-13 04:32 PM
In response to Matlu

Buddy, look at the log. It clearly shows its in DETECT state, which totally make sense, since in gateway properties, you also have it set to same, so in reality, EVERY threat prevention log you see will be literally the same action.

Andy

0 Kudos
Matlu
Advisor
‎2023-12-13 04:41 PM
In response to the_rock

Sure, it makes sense, but in this traffic, for example, the "Confindence Level" is "High" and according to the Profile of my policy, the action is "PREVENT", but still, the traffic is "allowed" ...

So, I understand that this is because of "how" the GW is currently configured in its global properties, right?

0 Kudos
the_rock
Legend
Legend
‎2023-12-13 04:44 PM
In response to Matlu

EXACTLY! 🙂

So makes no difference if action is drop, prevent, discard, throw away (just making that up lol), but you get the idea...so regardless of action value, as long as gateway properties option says detect, thats all that matters.

Makes sense?

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-12-13 04:56 PM
In response to Matlu

Btw, on slightly unrelated note, did that email I sent you for Azure vpn config help? 🙂

Andy

0 Kudos
RamGuy239
Advisor
Advisor
‎2023-12-14 03:13 AM
In response to Matlu

The settings on the gateway will take precedence over what you define in the Threat Prevention Policy. This is the point of having this option in the first place. By overriding the gateway object with "Detect only", you are overriding the policy. You are telling this specific gateway that regardless of what is being defined in the Threat Prevention Policy, always run Anti-Bot and Anti-Virus in Detect mode. You can do the same with the IPS blade under IPS settings on the gateway.

You would typically share Threat Prevention Policies across multiple gateways. In case of issues, these options exist on a per gateway level to provide an easy way for you to enforce specific gateways to detect only various blades without having to fiddle with the Threat Prevention Policy that might be in use in multiple places where you don't want to enforce detect only.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
Matlu
Advisor
‎2023-12-14 01:10 PM
In response to RamGuy239

Hello,

Your explanation was very clear.

However, I have some confusion.

If the priority is the global way how the "Activation Mode" is configured from the object of my ClusterXL, why in the following records that I share (attached), it is "blocking" the traffic to the domains (Prevent) by the blade of "AntiVirus"?

It is supposed that this traffic to the destinations of the attached file, "should" be allowed according to how the ClusterXL object is globally configured, however, I understand that for this traffic, it is being blocked, having more "priority" the explicit rule of "Threat Prevention".

Greetings.

Preview file
7 KB
0 Kudos
the_rock
Legend
Legend
‎2023-12-14 01:12 PM
In response to Matlu

Bro, there are different tabs for those things for AV/AB and IPS as you can also see from the fw object.

Cheers,

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-14 03:48 PM
In response to Matlu

Note in the description field of the log: "generated by custom intelligence feed"

With the Activation mode set as it is, do you see these entries only aligned to observables / IOC feeds added manually ?

 

 

CCSM R77/R80/ELITE
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-13 05:06 PM
In response to Matlu

I don't want to distract from the core issue but there are several factors that could apply for the example given:

1. Gateway activation mode (primary cause)

2. Active Protections 'Performance Impact' rating (set too low)

3. DNS traffic (background by default)

 

 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2023-12-13 03:20 PM
In response to Matlu

Correct.

0 Kudos
the_rock
Legend
Legend
‎2023-12-13 04:02 PM
In response to Matlu

As Chris asked buddy, can you help us understand exactly what the ultimate goal here is? Essentially, if you wish certain threat prevention policy to take effect, just make sure right profile is selected and then choose option according to policy under av/ab tab.

Makes sense?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events