This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saitoh
Collaborator
a month ago
Jump to solution

FW blade drops a suspicious packet like IPS blade?

Hi all,

 

I heard FW blade played the role which IPS blade used to do, like dropping non-RFC compliant packet or something.

My experience of CP is so short that I am wondering where I can confirm what else kind/type of packet is subject to rejection.

 

AI assistant of CheckPoint says I can find it on Manage&Settings > Blade > General > InspectionSettings, but

also states InspectionSettings includes 'most' of those type of packets, not all.

 

He or she added this behaviour of FW blade had been implemented since R80.20.

However R80.10 smartconsole has InspectionSettings on the same page, which I was not expected.

 

I have a quite confusing idea now ;(

It would be lovely if you share your knowledge on this.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
a month ago
In response to saitoh
Jump to solution

FW can drop packets for one of those reasons:

  1. Anti-spoofing violation
  2. Packet is out of state
  3. Policy drop rule
  4. Threat prevention policy decision

View solution in original post

(1)
9 Replies
Chris_Atkinson
Employee Employee
Employee
a month ago
Jump to solution

Inspection Settings & Core Protections fall into this category, not to worry IPS still very much exists.

Both those versions are quite old how do they compare/relate to your actual installation?

 

CCSM R77/R80/ELITE
(1)
the_rock
Legend
Legend
a month ago
Jump to solution

Hey @saitoh 

Greetings to a colleague in Japan! First, wanted to say, I always found Japanese culture to be the BEST and even that is an understatement.

K, had to say that, because it is true. Now, as far as the issue you describe. I had some questions...first off, what is the actual issue? Do you see drops in smart console/zdebug?

Also, keep in mind, when it comes to ips and inspection settings, those are totally 2 different things. Inspection settings are more related to deep packet/voip, things like that, while IPS is definitely more for protecting aginst known malicious activities.

I suggest updating to at least R81.20 if you can.

Andy

(1)
PhoneBoy
Admin
Admin
a month ago
Jump to solution

Several low-level packet checks are handled in the Firewall blade.
These are represented in the Inspection Settings and Core Protections panes and date back to the SmartDefense days (2000s pre-R70 and IPS Blade).

(1)
saitoh
Collaborator
a month ago
Jump to solution

Dear @PhoneBoy , @the_rock , and @PhoneBoy ,

 

Thanks for your comments as always. Wonderful you guys are always here to help people.

My apologies for lack of background info. Here's why I am interested in such a good old OS version.

 

Problems:

No urgent issue occurs. This question was written for begging info, not a solution.

 

Backgrounds:

Ahead of the replacement of customer's appliances which all run R80.10, with better ones of R82,

I have to investigate any system change made to the system, which might cause connectivity issues.

Their environment has old/original protocol packets, and many of them is likely to be non RFC-compliant.

(I know it is almost impossible to fully presume them all, but I would like to get a picture to some extent.)

 

What I would like to know:

1. Without IPS blade, can FW blade drop a suspicious packets like listed in Inspection Settings?

2. Apart from behaviour configured in Inspection Settings, is there any function which can drop a packet regardless of firewall policy?

I know in global properties there are the settings associated with a drop of packets like dynamic routing protocol, direct ping, and Ack without Syn.

 

I am not quite sure where else to check when policy-allowed packet is dropped at the appliance.

It has been very hectic in my office, so my colleagues seemingly do not have time for answering my question.. ;(

My effort alone cannot make them clear to me.

If you give me a pointer, I cannot thank you enough.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
_Val_
Admin
Admin
a month ago
In response to saitoh
Jump to solution

FW can drop packets for one of those reasons:

  1. Anti-spoofing violation
  2. Packet is out of state
  3. Policy drop rule
  4. Threat prevention policy decision
(1)
the_rock
Legend
Legend
a month ago
In response to saitoh
Jump to solution

Hey Saitoh,

I can totally see all the points Val made, regardless of what blades are enabled.

Andy

(1)
saitoh
Collaborator
a week ago
In response to the_rock
Jump to solution

Hi @_Val_  and @the_rock ,

I am sorry for the late reply, had been in a short holiday in Egypt.

 

And much appreciated to you guys for a concise and clear answer!

Saitoh

sliver bullet: casting repero or tossing it into the harbor
_Val_
Admin
Admin
a week ago
In response to saitoh
Jump to solution

Glad to help

0 Kudos
the_rock
Legend
Legend
a week ago
In response to saitoh
Jump to solution

Hey @saitoh 

Yea man, hope you had nice Time! Egypt is very good destination, I know everyone goes to see pyramids, but I love Luxor, such a cool place.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events