Where can I find the optimized setting?
I guess I can try with no IPS blade but the policy type linked with the gateway needs to be both types access control and threat prevention, right?

Oh yeah, so you don't need to enable the IPS blade but you need to configure the policy as "threat prevention" policy type. 
It feels a bit complex, because the policy contains all the IPS protections even though only the IPS core protections are expected to work without the IPS license. It would be nice if these 39 nine core protections were independent a bit like the inspection settings
Cool. Than you very much.

Of course mate, any time, happy to assist. By the way, keep in mind, these core protections are super basic, specially if you are NOT using ips blade, I think thats been there since long time ago.

Andy

Btw, I have really good eve-ng and Azure cp labs, so if you need me to test anything, happy to do it.

Reference link, though Im sure you had seen it already.

Andy

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

Indeed what the_rock posted as his last screenshot

thanks. Yeah, I was aware of that way of filtering the core protections

I figured you knew, since you said number 39, which is what shows there 🙂

Should the installation look like the file attached?
Threat prevention box available but not ticked.

Right you don't need Threat Prevention ticked.

All you need to remember is this...core protection will be ACTIVE, regardless if you have ips enabled. or install or not TP policy.

Andy

But the problem is that I can't assign my gateway neither a threat prevention profile or a IPS Core Protection Profile.

I wonder if it has something to do with an Threat Prevention Layer generated by the system  called IPS layer assigned (with 0 rules - coming from a migration from r77) and it is not used by it still exists

If you are allowed to do remote, Im sure we can figure it out quickly. Make sure policy editor looks something similar to below.

Andy

Thanks Andy, I managed to configured it but with IPS blade enabled on the gateway.
There is no way to configure it IPS blade is not enabled as far I can see

Hm, thats odd, cause I did it in my lab without IPS on.

Andy

how is it possible? Are we making a wrong assumption or perhaps different firmware version may have different behaviour.
I am  in r80.40

Now, with the IPS blade on, I have tested removing the threat prevention layer and the IPS core protections profile is still applied.

So my conclusions:

1) I need the IPS blade installed on the gateway

2) I don't need the policy type to be  threat prevention type and/or a threat prevention layer

I dont have R80.40 to test, so cant say, sorry. I tested on R81.20 and worked for me WITHOUT ips blade enabled.

Andy

It's possible that IPS Blade may need to be enabled to configure the protections in earlier releases (speaking to what @Luis_Miguel_Mig is saying).
However, they should still be enforced as part of the Access Policy.

Im thinking thats probably true 🙂

Andy

More and more this sounds like a SmartConsole GUI issue.  Here is a very similar one for Inspection Settings that was fixed:

Inspection Settings GUI Change Question 

Make sure you have the latest SmartConsole GUI software; it does not update automatically in R80.40.

I have just enabled the IPS blade and all of the sudden I can assign the IPS core protections profile.
So it seems like the IPS blade needs to be enabled even though the policy installation goes through the access policy.

As I mentioned the IPS blade was on so I could see the IPS core protections profile assigned to my cluster and I could even tested a few port-scans I could see port-scan alerts.

Now all of the sudden I have realized that the IPS process is down. I have followed https://support.checkpoint.com/results/sk/sk163752 to try to bring the IPS process on again but I can't. The cli tells me to do it from smartconsole but smartconsole doesn't manage do it anymore.

I wonder if there may be some license checks that don't allow me to run the IPS process if I don't have the IPS license

Can you send output of cplic print -x from the gateway?

Andy

I have manage to bring the IPS process on  by installing the threat prevention layer.
And it seems like by doing that now, a trial license has been installed too.

I am trying to get use IPS core protections without any IPS license. And even though I expected it is possible due to the documentation and the conversations we had it seems that the IPS license is required. In R77.2O I was able to run port-scan detection without IPS license and it sounds that it is possible in R81.20 too. But in R80.40 (GW) and R81.10(MG) I am still not sure if it works.

Can I run the IPS process without the  trial license? What will it happen when the trial license expires?
I was worried about being able to assign the IPS Core protections profile to the gateway but perhaps I don't need to be worried about it, and the default optimize IPS core protections may just work even  if you can see the attached screen coreprotections_gateway.jpg (where I can only see my gateway and profiles if IPS blade is enabled)

[Expert@host:dplane]# cplic print -x
Host Expiration Signature Features
trial 19Jul2024 axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx PNP_BLADE_IPS:V1:trial CPSB-IPS
ip never xxx CPSG-C-4-U CPSB-FW CPSB-ADNC CK-D1816C91E9CE

Im pretty sure you can run it without trial license, BUT, it wont get any updates at all.