This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Hofbauer
Contributor
Contributor
‎2022-12-04 06:18 PM

R81.10 - Block/Prevent notification for IPS events

I am searching for ideas to inform our users, when a IPS protection takes effect - like Usercheck is doing it.

 

Thanks for any ideas

Martin

0 Kudos
10 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-12-05 12:12 AM

Would you like to notify the Security Administrator or the user that triggered the specific IPS Protection?

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-12-05 12:37 AM

Hey,

You can get it from Smartevent and trigger the notification when the action is matched. 

Go to the Log & Monitor Tab -> Smart Event Settings & Policy

Create action as Email and then you can defined the triggers there

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Blason_R
MVP Gold
MVP Gold
‎2022-12-05 12:41 AM
In response to Blason_R

This might help

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Preview file
159 KB
maddah87
Contributor
‎2023-09-25 09:17 PM
In response to Blason_R

Hi @Blason_R ,

This IPS reaction cannot have dynamic e-mail addresses, can it?
Means that if a user blocked by the IPS can it be notify to the specific user in every case. 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-09-25 11:14 PM
In response to maddah87

As discussed it's not really geared for end user notification, rather the SOC etc.

CCSM R77/R80/ELITE
0 Kudos
maddah87
Contributor
‎2023-09-25 11:50 PM
In response to Chris_Atkinson

Thanks, 🙏

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-12-05 01:01 AM

Many attacks for which IPS applies may not be due to an interactive user session or in a browser.

Whilst UserCheck provides both an agent and email configuration options it's currently most relevant to the likes of Anti-virus / Anti-bot in the Threat Prevention context.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-12-05 04:54 AM

The IPS blade is not capable of sending UserChecks to the end user, and will simply start dropping packets or in some cases issue a TCP reset (whether a particular IPS protection performs a drop or reject upon a prevent action cannot be changed).  So if a user gets blocked but doesn’t seem to see a UserCheck, the IPS blade may well be responsible.  This was covered in my IPS/AV/ABOT Immersion course.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Martin_Hofbauer
Contributor
Contributor
‎2022-12-05 09:33 AM
In response to Timothy_Hall

That was exactly my motivation for asking this question. But as already answered, the only way to notify my users that an IPS protection has blocked a specific connection is with SmartEvent notifications. But how do I inform the users without installing an agent... Email would be ok, but I need to map the client's IP address to the user - So I need IA Blade active! (?) plus a script that collects the appropriate information. Sounds complex and maybe things changes in a future release ...

Thanks for all your answers !

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-12-05 05:28 AM

I agree with @Blason_R . I see same options in R81.20 as well and seems best way to do this.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events