Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Hofbauer
Contributor
Contributor

R81.10 - Block/Prevent notification for IPS events

I am searching for ideas to inform our users, when a IPS protection takes effect - like Usercheck is doing it.

 

Thanks for any ideas

Martin

0 Kudos
10 Replies
Tal_Paz-Fridman
Employee
Employee

Would you like to notify the Security Administrator or the user that triggered the specific IPS Protection?

0 Kudos
Blason_R
Leader
Leader

Hey,

You can get it from Smartevent and trigger the notification when the action is matched. 

Go to the Log & Monitor Tab -> Smart Event Settings & Policy

Create action as Email and then you can defined the triggers there

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Blason_R
Leader
Leader

This might help

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
maddah87
Contributor

Hi @Blason_R ,

This IPS reaction cannot have dynamic e-mail addresses, can it?
Means that if a user blocked by the IPS can it be notify to the specific user in every case. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As discussed it's not really geared for end user notification, rather the SOC etc.

CCSM R77/R80/ELITE
0 Kudos
maddah87
Contributor

Thanks, 🙏

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Many attacks for which IPS applies may not be due to an interactive user session or in a browser.

Whilst UserCheck provides both an agent and email configuration options it's currently most relevant to the likes of Anti-virus / Anti-bot in the Threat Prevention context.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Champion
Champion

The IPS blade is not capable of sending UserChecks to the end user, and will simply start dropping packets or in some cases issue a TCP reset (whether a particular IPS protection performs a drop or reject upon a prevent action cannot be changed).  So if a user gets blocked but doesn’t seem to see a UserCheck, the IPS blade may well be responsible.  This was covered in my IPS/AV/ABOT Immersion course.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Martin_Hofbauer
Contributor
Contributor

That was exactly my motivation for asking this question. But as already answered, the only way to notify my users that an IPS protection has blocked a specific connection is with SmartEvent notifications. But how do I inform the users without installing an agent... Email would be ok, but I need to map the client's IP address to the user - So I need IA Blade active! (?) plus a script that collects the appropriate information. Sounds complex and maybe things changes in a future release ...

Thanks for all your answers !

0 Kudos
the_rock
Legend
Legend

I agree with @Blason_R . I see same options in R81.20 as well and seems best way to do this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events