Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Miguel_Mig
Advisor
Jump to solution

IPS Core Protections

IPS core protections are installed via the access policy. However, even though you don't need a threat prevention and or IPS license, you need to activate the IPS blade, correct?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Not sure that's required since the entire reason they are enforced as part of Access Policy is because these protections are built into the firewall.

View solution in original post

47 Replies
PhoneBoy
Admin
Admin

Not sure that's required since the entire reason they are enforced as part of Access Policy is because these protections are built into the firewall.

the_rock
Legend
Legend

I believe what Phoneboy said has been the case for a long time now actually.

Andy

0 Kudos
Lesley
Leader Leader
Leader

I think you can do it without IPS blade. You can attach the 'optimized setting' to a gateway that has no IPS blade enabled or license. Also same goes for GEO protection. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Luis_Miguel_Mig
Advisor

Where can I find the optimized setting?
I guess I can try with no IPS blade but the policy type linked with the gateway needs to be both types access control and threat prevention, right?

0 Kudos
the_rock
Legend
Legend

Screenshot_1.png

 

 

Screenshot_2.png

0 Kudos
Luis_Miguel_Mig
Advisor

Oh yeah, so you don't need to enable the IPS blade but you need to configure the policy as "threat prevention" policy type. 
It feels a bit complex, because the policy contains all the IPS protections even though only the IPS core protections are expected to work without the IPS license. It would be nice if these 39 nine core protections were independent a bit like the inspection settings
Cool. Than you very much.

the_rock
Legend
Legend

Of course mate, any time, happy to assist. By the way, keep in mind, these core protections are super basic, specially if you are NOT using ips blade, I think thats been there since long time ago.

Andy

 

Btw, I have really good eve-ng and Azure cp labs, so if you need me to test anything, happy to do it.

 

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend
0 Kudos
Lesley
Leader Leader
Leader

Indeed what the_rock posted as his last screenshot

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Luis_Miguel_Mig
Advisor

thanks. Yeah, I was aware of that way of filtering the core protections

the_rock
Legend
Legend

I figured you knew, since you said number 39, which is what shows there 🙂

0 Kudos
Timothy_Hall
Legend Legend
Legend

The 39 Core Activations exist in a kind of no man's land between Access Control & Threat Prevention, but everything stated in this thread is correct, you don't need the IPS feature enabled to use them.  Core Activations have always been a bit confusing to deal with, and I'm happy to report that they are covered very nicely in the upcoming 2-day Threat Prevention Specialist course which should be released to Check Point ATCs worldwide later this month.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Luis_Miguel_Mig
Advisor


Should the installation look like the file attached?
Threat prevention box available but not ticked.

 

 

 
 

 

 

Timothy_Hall
Legend Legend
Legend

Right you don't need Threat Prevention ticked.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

All you need to remember is this...core protection will be ACTIVE, regardless if you have ips enabled. or install or not TP policy.

Andy

0 Kudos
Luis_Miguel_Mig
Advisor

coreprotections_gateway.jpgBut the problem is that I can't assign my gateway neither a threat prevention profile or a IPS Core Protection Profile.

I wonder if it has something to do with an Threat Prevention Layer generated by the system  called IPS layer assigned (with 0 rules - coming from a migration from r77) and it is not used by it still exists

ips.JPG

0 Kudos
the_rock
Legend
Legend

If you are allowed to do remote, Im sure we can figure it out quickly. Make sure policy editor looks something similar to below.

Andy

 

Screenshot_1.png

0 Kudos
Luis_Miguel_Mig
Advisor

Thanks Andy, I managed to configured it but with IPS blade enabled on the gateway.
There is no way to configure it IPS blade is not enabled as far I can see

0 Kudos
the_rock
Legend
Legend

Hm, thats odd, cause I did it in my lab without IPS on.

Andy

0 Kudos
Luis_Miguel_Mig
Advisor

how is it possible? Are we making a wrong assumption or perhaps different firmware version may have different behaviour.
I am  in r80.40

Now, with the IPS blade on, I have tested removing the threat prevention layer and the IPS core protections profile is still applied.

 

So my conclusions:

1) I need the IPS blade installed on the gateway

2) I don't need the policy type to be  threat prevention type and/or a threat prevention layer

 

ipsblade.jpg

0 Kudos
the_rock
Legend
Legend

I dont have R80.40 to test, so cant say, sorry. I tested on R81.20 and worked for me WITHOUT ips blade enabled.

Andy

0 Kudos
PhoneBoy
Admin
Admin

It's possible that IPS Blade may need to be enabled to configure the protections in earlier releases (speaking to what @Luis_Miguel_Mig is saying).
However, they should still be enforced as part of the Access Policy.

0 Kudos
the_rock
Legend
Legend

Im thinking thats probably true 🙂

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend

More and more this sounds like a SmartConsole GUI issue.  Here is a very similar one for Inspection Settings that was fixed:

Inspection Settings GUI Change Question 

 

Make sure you have the latest SmartConsole GUI software; it does not update automatically in R80.40.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Luis_Miguel_Mig
Advisor

I have just enabled the IPS blade and all of the sudden I can assign the IPS core protections profile.
So it seems like the IPS blade needs to be enabled even though the policy installation goes through the access policy.


0 Kudos
Luis_Miguel_Mig
Advisor

As I mentioned the IPS blade was on so I could see the IPS core protections profile assigned to my cluster and I could even tested a few port-scans I could see port-scan alerts.

Now all of the sudden I have realized that the IPS process is down. I have followed https://support.checkpoint.com/results/sk/sk163752 to try to bring the IPS process on again but I can't. The cli tells me to do it from smartconsole but smartconsole doesn't manage do it anymore.

I wonder if there may be some license checks that don't allow me to run the IPS process if I don't have the IPS license


0 Kudos
the_rock
Legend
Legend

Can you send output of cplic print -x from the gateway?

Andy

0 Kudos
Luis_Miguel_Mig
Advisor

I have manage to bring the IPS process on  by installing the threat prevention layer.
And it seems like by doing that now, a trial license has been installed too.

I am trying to get use IPS core protections without any IPS license. And even though I expected it is possible due to the documentation and the conversations we had it seems that the IPS license is required. In R77.2O I was able to run port-scan detection without IPS license and it sounds that it is possible in R81.20 too. But in R80.40 (GW) and R81.10(MG) I am still not sure if it works.

Can I run the IPS process without the  trial license? What will it happen when the trial license expires?
I was worried about being able to assign the IPS Core protections profile to the gateway but perhaps I don't need to be worried about it, and the default optimize IPS core protections may just work even  if you can see the attached screen coreprotections_gateway.jpg (where I can only see my gateway and profiles if IPS blade is enabled)


[Expert@host:dplane]# cplic print -x
Host Expiration Signature Features
trial 19Jul2024 axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx PNP_BLADE_IPS:V1:trial CPSB-IPS
ip never xxx CPSG-C-4-U CPSB-FW CPSB-ADNC CK-D1816C91E9CE

0 Kudos
the_rock
Legend
Legend

Im pretty sure you can run it without trial license, BUT, it wont get any updates at all.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events