Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FW-VPN-ITALY
Explorer

ips tuning

Hello, I received a request from a customer to perform IPS tuning on Checkpoint. Currently the customer has only one rule with the IPS profile active. In my opinion two rules should be created with two distinct ips profiles to divide the traffic according to the direction. One for inbound traffic and the other for outbound traffic . What do you think about my idea ? What do you recommend?

I've read the checkpoint best practices but they don't say much about how to proceed. Tips ?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

No real benefit to doing that since the protections are largely directional already and you’re likely doing App Control/URL Filtering as well, which use the same engines as IPS.
It might help to know the starting point you’re at (what profile you’re using, what version/JHF you’re at).

You can see what signature is using the most CPU with this tool: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,
However, I wouldn’t do that until do some more fundamental tuning of system performance, including possibly changing the snd/fwk mix.
But start with the Super Seven commands: https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/td-p/4...

0 Kudos
Chris_Atkinson
Employee
Employee

What are your tuning objectives. Are you tuning for security, performance or a balance of both?

TailoredSafe (sk164812) and the IPS Analyzer Tool might be helpful:

IPS performance.jpg

Refer:

https://community.checkpoint.com/t5/Infinity-Threat-Prevention/IPS-Analyzer-Tool-How-to-analyze-IPS-...

0 Kudos
Timothy_Hall
Champion
Champion

As Chris said TailoredSafe and the IPS Analyzer Tool will be very helpful here.  IPS optimization was also covered in my Max Power 2020 book (pages 352-369), but the tuning techniques documented there are a bit of a manual slog compared to these newer tools doing a lot of the heavy lifting for you.  There is also some coverage of this topic in my IPS Immersion Course including the so-called "null profile" trick; IPS is definitely one of those blades that can be a bit intimidating to work with at first due to the sheer number of IPS protections...

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos