Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Miguel_Mig
Advisor
Jump to solution

IPS Core Protections

IPS core protections are installed via the access policy. However, even though you don't need a threat prevention and or IPS license, you need to activate the IPS blade, correct?

0 Kudos
47 Replies
Luis_Miguel_Mig
Advisor

The trial license got installed automatically by the system in the background.  I didn't do anything. 
I tried again with IPS blade disabled and I don't get any   IPS CORE PROTECTION ALERT.

So I will enable the IPS blade again and I will see what happen when the license expires. If I knew how I would actually remove the trial license now to see what happens

0 Kudos
the_rock
Legend
Legend

Let us know the outcome.

0 Kudos
Luis_Miguel_Mig
Advisor

My conclusion is:

1) without the IPS blade on, I don't get the IPS Core protection. I don't get for example portscan alerts. And the portscan alerts actually come with the IPS blade tag.
2) I need the threat prevention layer activated in the policy  assigned  to the gateway, because otherwise the IPS process is off.
3) The system automatically install a trial IPS license.

The IPS core protections work with all that but what will it happen when the trial license expires?
Following https://community.checkpoint.com/t5/General-Topics/Delete-trial-license/td-p/56751
I have tried to remove the trail license using both cplic eval_disable and $CPDIR/bin/cpprod_util CPPROD_SetPnPDisable 1 but the license is still installed according the output of cplic print -x .



 

0 Kudos
the_rock
Legend
Legend

To remove trial, you have to do this, its called plug and play and its below.

Andy

 

$CPDIR/conf/cp.pnp

 

https://community.checkpoint.com/t5/General-Topics/Delete-trial-license/td-p/56751

0 Kudos
Luis_Miguel_Mig
Advisor

And is my expectation correct? Will IPS core protections (with just the FW license) keep working after removing the trial license? 🙂

 

the_rock
Legend
Legend

Im fairly sure yes. It did for me back in R81 base.

Andy

0 Kudos
Luis_Miguel_Mig
Advisor

Excellent. Thanks Andy.

And where you aware of the trial license then and you just let it expired or sth like that?

0 Kudos
the_rock
Legend
Legend

No worries mate, glad we can help. Yes, I deleted that license with command I gave in the last post.

Andy

0 Kudos
Luis_Miguel_Mig
Advisor

I have deleted  $CPDIR/conf/cp.pnp and  rebooted and IPS Core protections still work, I can see alerts.
I can see that the trial license is not installed but I am getting this error. I guess the IPS process still trying to get the trial license
cplic print -x
GetLicFromFile: Failed to open file: /opt/CPshrd-R80.40/conf/cp.pnp
pnp_blades_iterate: Failed to find a match to PNP_BLADE_IPS-V1 in PnP file: /opt/CPshrd-R80.40/conf/cp.pnp
Host Expiration Signature Features
ip never jjjj CPSG-C-4-U CPSB-FW CPSB-ADNC CK-D188343B5EF5

0 Kudos
Luis_Miguel_Mig
Advisor
 

After removing cp.pnp smartconsole doesn't look pretty. The gateway is red because contract has expired.
See screenshot attached.

Is there any way to tweak smartconsole gateway checks/status behavior? I would like the gateway not to go red because of the IPS license that is not required to run the IPS core protections.

 

 

 

0 Kudos
the_rock
Legend
Legend

Thats easy to fix. Apply eval license, wait 10-15 mins, if status goes to yellow, follow what I did below.

Andy

 

https://community.checkpoint.com/t5/Management/License-warning-messages/m-p/169625#M33614

0 Kudos
Luis_Miguel_Mig
Advisor

If I apply eval license  the gateway status will go green but only until the eval licenses expires again, no? So then I will be in the same position with the IPS core protections working but with the gateway status in smartconsole in red due to the eval license expiration, no?

0 Kudos
PhoneBoy
Admin
Admin

Believe you are correct here.
Most likely this would require a code fix, which likely won't occur on an EOL version.

the_rock
Legend
Legend

That sounds right, but again, as Phoneboy said, it woukd not be fixed on unsupported code. I would upgrade to R81.20 if you can.

0 Kudos
Luis_Miguel_Mig
Advisor

Absolutely, we are upgrading to r81.20 very soon. 
One question, I am curious if you don't need the ips blade for IPS core protections, how are these alerts tagged in R81.20.
For example, do you filter port scan alerts/logs with blade:Firewall or blade:ips ?
I expect that these alerts will be full firewall blade in r81.20, so blade:Firewall.

0 Kudos
the_rock
Legend
Legend

Thats right.

0 Kudos
Luis_Miguel_Mig
Advisor

I have tested R81.20 and it is the same. Very confusing.
It is true that you don't need to install the threat prevention policy.
But you need the IPS BLADE enabled and you need the to configure the IPS core protections in the threat prevention policy configuration side.
Now I know how it works, but I guess that a lot of people will waste time figuring it out. Very confusing.

the_rock
Legend
Legend

100% you need ips core protections, right.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events