Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Hofbauer
Contributor

R81.10 - Block/Prevent notification for IPS events

I am searching for ideas to inform our users, when a IPS protection takes effect - like Usercheck is doing it.

 

Thanks for any ideas

Martin

0 Kudos
7 Replies
Tal_Paz-Fridman
Employee
Employee

Would you like to notify the Security Administrator or the user that triggered the specific IPS Protection?

0 Kudos
Blason_R
Advisor

Hey,

You can get it from Smartevent and trigger the notification when the action is matched. 

Go to the Log & Monitor Tab -> Smart Event Settings & Policy

Create action as Email and then you can defined the triggers there

Blason_R
Advisor

This might help

 

 

Chris_Atkinson
Employee
Employee

Many attacks for which IPS applies may not be due to an interactive user session or in a browser.

Whilst UserCheck provides both an agent and email configuration options it's currently most relevant to the likes of Anti-virus / Anti-bot in the Threat Prevention context.

0 Kudos
Timothy_Hall
Champion
Champion

The IPS blade is not capable of sending UserChecks to the end user, and will simply start dropping packets or in some cases issue a TCP reset (whether a particular IPS protection performs a drop or reject upon a prevent action cannot be changed).  So if a user gets blocked but doesn’t seem to see a UserCheck, the IPS blade may well be responsible.  This was covered in my IPS/AV/ABOT Immersion course.

 

IPS/AV/ABOT Immersion & Max Capture: Know your Packets
Self-Guided Video Series available at www.maxpowerfirewalls.com
Martin_Hofbauer
Contributor

That was exactly my motivation for asking this question. But as already answered, the only way to notify my users that an IPS protection has blocked a specific connection is with SmartEvent notifications. But how do I inform the users without installing an agent... Email would be ok, but I need to map the client's IP address to the user - So I need IA Blade active! (?) plus a script that collects the appropriate information. Sounds complex and maybe things changes in a future release ...

Thanks for all your answers !

0 Kudos
the_rock
Legend
Legend

I agree with @Blason_R . I see same options in R81.20 as well and seems best way to do this.

0 Kudos