This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
OLU_TSC
Explorer
‎2024-03-18 08:57 AM

IPS Update in Detect Mode

Hi All,

Customer want me to configure the IPS update to be in Detect Mode
rather than in prevent mode. They want me to review the traffic for one week
before configring to Prevent mode.

My humble Question is
"How do I determine business impact of new IPS signatures against traffic
hits when in Detect Mode."

I have to give customer report and move the IPS Signature into Prevent mode after a week.

 

Regards,

Olu

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2024-03-18 09:25 AM

You have to analyze the Detects to see if they involve any critical clients/servers as a starting point.
A protection that triggers regularly might be a false positive and/or might need further testing in Prevent mode in the lab before enabling in production.

0 Kudos
OLU_TSC
Explorer
‎2024-03-18 10:11 AM
In response to PhoneBoy

Thanks PhoneBoy,

Can you please give an idea of how to analyse the Detect please.

example blade:IPS action:Detect XXXXXXXXX? What else can i use.

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-18 04:09 PM
In response to OLU_TSC

That starts with knowing what the actual source and destination are and what applications are involved.
A signature that triggers for an application that isn't on the source/destination might be a false positive.
A lot of Detects for a given signature/source/destination may indicate a false positive also.

0 Kudos
the_rock
Legend
Legend
‎2024-03-18 05:49 PM

We did this for client that became CP customer back in 2021 and we showed them that after 2 weeks of IPS being in detect mode, there were no false positives, which is good time to turn on optimized profile.

You can also use built in IPS report if you turn on smart event blade on the mgmt server. 

Best,

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-03-19 05:55 AM

You could enable IPS in detect only mode and let it log for a few days.

After some time review the logs and compare them to the profile you would like to activate to see what protections will be detected / prevented and inactive. Depending on the profile(strict or optimized) an protection will be set to a certain level depending on performance and confidence level. Also copy the standard profile so you can always work and edit a copy!

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

See under:

Troubleshooting IPS for a Security Gateway

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2024-03-19 06:29 AM
In response to Lesley

Thats an excellent reference.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top