This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Itzel_Gtz26
Participant
‎2023-05-18 12:03 PM

How IPS packet capture works

I want to enable the capture packets for an IPS protection, but I want to know:

What are the effects on CPU and memory performance?

Does it impact the storage of logs?

If I enable it, does it apply to all profile protections or can it be specific?

 

 

5 Replies
the_rock
Legend
Legend
‎2023-05-18 12:16 PM

Thats really good question. I did this with customer couple of years ago and we did not see any issues. Mind you, we only did it for 10-15 mins and their boxes were pretty powerful, 15000 series I think. Yes, it can be specific, see below. I also did this in my lab, mind you it was R81.10 with 8 GB of ram and was fine. I had not tested it yet in R81.20, but can do if you like. As far as logs, I cant say 100%, as only logical way to tell would be if you left it for prolonged period of time and observe.

Andy

Screenshot_1.png

 

0 Kudos
Itzel_Gtz26
Participant
‎2023-05-18 12:22 PM
In response to the_rock

My devices are 7000, do you think there is a problem?

0 Kudos
Itzel_Gtz26
Participant
‎2023-05-18 12:27 PM
In response to the_rock

Additionally, if I apply it as samples, would it be for the entire profile? or only for the punctual signature?

0 Kudos
the_rock
Legend
Legend
‎2023-05-18 12:29 PM
In response to Itzel_Gtz26

It would apply for only specific signature if you change it, not actual profile. You could change log/capture option for multiple profiles though, as per my picture, but change you do for capture is ONLY for that specific signature.

7000 appliance, Im 99.99% sure you would be fine. Personally, and this is just me, as I cant and would not speak for anyone else, I would do this for short period of time if you absolutely have to or in a window after hours, if possible.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-05-19 08:09 AM

There are two places you can enable Threat Prevention packet capturing in R80.10+, the Threat Prevention policy Track field, and/or on the IPS ThreatCloud protection itself.

Checking the "Capture Packets" checkbox for an IPS ThreatCloud protection contained within a profile will not cause a substantial CPU or memory hit, because it is already saving packet captures by default.  When an IPS protection is triggered, the gateway automatically stores the offending packet for later inspection by the administrator.  However by default when the same protection is triggered again, the previous saved capture is overwritten with the new capture.  All setting "Capture Packets" on the protection does is store all of them without overwriting previous ones.

In the Threat Prevention policy Track field, setting "Capture Packets" just instructs all IPS ThreatCloud protections matching that rule to save all captures  without overwriting and is essentially setting the "Capture Packets" checkbox for you for all IPS ThreatCloud protections contained in the profile for the matched TP rule.  By default the gateway has 500MB of disk space set aside to store captures, if it fills up the oldest captures are automatically deleted:

cap.png

The main thing you will need to watch out for is having the firewall take captures for IPS ThreatCloud protections whose action is Detect as it will save 100KB of captured packets each time, which can quickly exceed the 500MB allocation and start causing captures to get rolled off.  A Prevent action will normally only give you one captured packet or perhaps a few.  There are a number of other caveats here to be aware of especially concerning Core Activations & Inspection Settings , here is the relevant content about this from my updated R81.20 IPS/AV/ABOT Immersion course:

cap1_20.pngcap2_20.pngcap3_20.png

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top