Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
OLU_TSC
Explorer

IPS Update in Detect Mode

Hi All,

Customer want me to configure the IPS update to be in Detect Mode
rather than in prevent mode. They want me to review the traffic for one week
before configring to Prevent mode.

My humble Question is
"How do I determine business impact of new IPS signatures against traffic
hits when in Detect Mode."

I have to give customer report and move the IPS Signature into Prevent mode after a week.

 

Regards,

Olu

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

You have to analyze the Detects to see if they involve any critical clients/servers as a starting point.
A protection that triggers regularly might be a false positive and/or might need further testing in Prevent mode in the lab before enabling in production.

0 Kudos
OLU_TSC
Explorer

Thanks PhoneBoy,

Can you please give an idea of how to analyse the Detect please.

example blade:IPS action:Detect XXXXXXXXX? What else can i use.

Thanks

0 Kudos
PhoneBoy
Admin
Admin

That starts with knowing what the actual source and destination are and what applications are involved.
A signature that triggers for an application that isn't on the source/destination might be a false positive.
A lot of Detects for a given signature/source/destination may indicate a false positive also.

0 Kudos
the_rock
Legend
Legend

We did this for client that became CP customer back in 2021 and we showed them that after 2 weeks of IPS being in detect mode, there were no false positives, which is good time to turn on optimized profile.

You can also use built in IPS report if you turn on smart event blade on the mgmt server. 

Best,

Andy

0 Kudos
Lesley
Leader Leader
Leader

You could enable IPS in detect only mode and let it log for a few days.

After some time review the logs and compare them to the profile you would like to activate to see what protections will be detected / prevented and inactive. Depending on the profile(strict or optimized) an protection will be set to a certain level depending on performance and confidence level. Also copy the standard profile so you can always work and edit a copy!

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

See under:

Troubleshooting IPS for a Security Gateway

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend

Thats an excellent reference.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events