This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Hofbauer
Contributor
‎2022-12-04 06:18 PM

R81.10 - Block/Prevent notification for IPS events

I am searching for ideas to inform our users, when a IPS protection takes effect - like Usercheck is doing it.

 

Thanks for any ideas

Martin

0 Kudos
7 Replies
Tal_Paz-Fridman
Employee
Employee
‎2022-12-05 12:12 AM

Would you like to notify the Security Administrator or the user that triggered the specific IPS Protection?

0 Kudos
Blason_R
Advisor
‎2022-12-05 12:37 AM

Hey,

You can get it from Smartevent and trigger the notification when the action is matched. 

Go to the Log & Monitor Tab -> Smart Event Settings & Policy

Create action as Email and then you can defined the triggers there

Blason_R
Advisor
‎2022-12-05 12:41 AM
In response to Blason_R

This might help

 

 

Preview file
159 KB
Chris_Atkinson
Employee
Employee
‎2022-12-05 01:01 AM

Many attacks for which IPS applies may not be due to an interactive user session or in a browser.

Whilst UserCheck provides both an agent and email configuration options it's currently most relevant to the likes of Anti-virus / Anti-bot in the Threat Prevention context.

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-12-05 04:54 AM

The IPS blade is not capable of sending UserChecks to the end user, and will simply start dropping packets or in some cases issue a TCP reset (whether a particular IPS protection performs a drop or reject upon a prevent action cannot be changed).  So if a user gets blocked but doesn’t seem to see a UserCheck, the IPS blade may well be responsible.  This was covered in my IPS/AV/ABOT Immersion course.

 

IPS/AV/ABOT Immersion & Max Capture: Know your Packets
Self-Guided Video Series available at www.maxpowerfirewalls.com
Martin_Hofbauer
Contributor
‎2022-12-05 09:33 AM
In response to Timothy_Hall

That was exactly my motivation for asking this question. But as already answered, the only way to notify my users that an IPS protection has blocked a specific connection is with SmartEvent notifications. But how do I inform the users without installing an agent... Email would be ok, but I need to map the client's IP address to the user - So I need IA Blade active! (?) plus a script that collects the appropriate information. Sounds complex and maybe things changes in a future release ...

Thanks for all your answers !

0 Kudos
the_rock
Legend
Legend
‎2022-12-05 05:28 AM

I agree with @Blason_R . I see same options in R81.20 as well and seems best way to do this.

0 Kudos