Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor
Jump to solution

What is the roadmap for Threat Prevention Policy management?

R80 SmartConsole introduced significant changes in the policy organization of threat prevention blades - IPS, Anti Bot, Anti Virus, and Threat Emulation. Yet in some aspects in the application, IPS is still separated from the other threat prevention blades. What was the purpose of this change?

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Pre-R80 security Management was blade-oriented. Every blade had its separated tab and configuration. R80 changes the blade-oriented approach to a more fluid task-oriented approach, and when it comes to policy management, it differentiates between two worlds: Access Control and Threat Prevention.

R77:

r77_blades.png

R80:

  r80_blades.png

So when we open SmartConsole and navigate to Security Policies, we can find that the IPS blade is inside the Threat Prevention policy, but in a separated layer. This is because concepts for managing IPS for pre-R80 Gateways are still different from the other threat prevention blades (Anti-Bot, Anti-Virus, Threat Emulation and in R80.10 Threat Extraction - for the rest of this topic we will call them "General threat prevention blades").

R80.10 Gateways will introduce changes for the IPS blade in order to share the same concepts in enforcement as the general threat prevention blades. But anything that doesn't involve upgrading a Gateway, is already maintained in R80 threat prevention policy management, in order to allow more intuitive daily work and separation from access control.

When working on threat prevention policies in R80, you may attempt to change your policy in ways that require an R80.10 Gateway. In order to separate between Security Management features and Security Gateway features, please see this table below.

Action

Pre-R80 Gateways

R80.10 Gateways and Above

What happens if the user attempts to do R80.10 actions for Pre-R80 Gateways in SmartConsole?

Type of policy to install for IPS

Access Control (IPS is dependent on Firewall modules)

Threat Prevention

Install Policy dialog displays a warning message.

warning0.png

warning1.png

How many threat prevention layers can the user create?

If enabled, 1 IPS layer.

If enabled, 1 general threat prevention layer.

As many layers as he likes.

It is impossible in SmartConsole to delete an IPS layer with rules that have pre-R80 Gateways under the "install on" column.

ips_cant_be_deleted1.png

ips_cant_be_deleted2.png

Attempting to add more than 1 general threat prevention layer will fail policy installation.

multi-threat-layers.png

Can the user use the same layer for IPS and general threat prevention blades?

No

Yes

Profiles with both blades will show the icons grayed out in layers which do not enforce them.

disabled_blades.png

Can the user create different IPS policies?

No

Yes

The IPS layer is maintained automatically and shared in all policies.

ips_is_shared.png

Protecting specific scope by a threat prevention profile

General threat prevention blades only (not IPS).

All threat prevention blades including IPS.

Protected Scope column is not available for the IPS layer for Pre-R80 Gateways. Source and Destination columns appear instead.

ips_source_destination.png

ips_source_destination2.png

Changing the action of an exception rule from "inactive" to "prevent/detect"

Allowed for general threat prevention blades only.

Allowed for all threat prevention blades.

A warning during install policy.

Pre-R80 Gateways will not receive exceptions with modified actions.

change-exception.png

Please share your experience with building threat prevention policies in R80. A lot of thought was put in simplifying the policy management process while signaling the differences in enforcement. We are very interested with your feedback.

View solution in original post

0 Kudos
1 Reply
Tomer_Sole
Mentor
Mentor

Pre-R80 security Management was blade-oriented. Every blade had its separated tab and configuration. R80 changes the blade-oriented approach to a more fluid task-oriented approach, and when it comes to policy management, it differentiates between two worlds: Access Control and Threat Prevention.

R77:

r77_blades.png

R80:

  r80_blades.png

So when we open SmartConsole and navigate to Security Policies, we can find that the IPS blade is inside the Threat Prevention policy, but in a separated layer. This is because concepts for managing IPS for pre-R80 Gateways are still different from the other threat prevention blades (Anti-Bot, Anti-Virus, Threat Emulation and in R80.10 Threat Extraction - for the rest of this topic we will call them "General threat prevention blades").

R80.10 Gateways will introduce changes for the IPS blade in order to share the same concepts in enforcement as the general threat prevention blades. But anything that doesn't involve upgrading a Gateway, is already maintained in R80 threat prevention policy management, in order to allow more intuitive daily work and separation from access control.

When working on threat prevention policies in R80, you may attempt to change your policy in ways that require an R80.10 Gateway. In order to separate between Security Management features and Security Gateway features, please see this table below.

Action

Pre-R80 Gateways

R80.10 Gateways and Above

What happens if the user attempts to do R80.10 actions for Pre-R80 Gateways in SmartConsole?

Type of policy to install for IPS

Access Control (IPS is dependent on Firewall modules)

Threat Prevention

Install Policy dialog displays a warning message.

warning0.png

warning1.png

How many threat prevention layers can the user create?

If enabled, 1 IPS layer.

If enabled, 1 general threat prevention layer.

As many layers as he likes.

It is impossible in SmartConsole to delete an IPS layer with rules that have pre-R80 Gateways under the "install on" column.

ips_cant_be_deleted1.png

ips_cant_be_deleted2.png

Attempting to add more than 1 general threat prevention layer will fail policy installation.

multi-threat-layers.png

Can the user use the same layer for IPS and general threat prevention blades?

No

Yes

Profiles with both blades will show the icons grayed out in layers which do not enforce them.

disabled_blades.png

Can the user create different IPS policies?

No

Yes

The IPS layer is maintained automatically and shared in all policies.

ips_is_shared.png

Protecting specific scope by a threat prevention profile

General threat prevention blades only (not IPS).

All threat prevention blades including IPS.

Protected Scope column is not available for the IPS layer for Pre-R80 Gateways. Source and Destination columns appear instead.

ips_source_destination.png

ips_source_destination2.png

Changing the action of an exception rule from "inactive" to "prevent/detect"

Allowed for general threat prevention blades only.

Allowed for all threat prevention blades.

A warning during install policy.

Pre-R80 Gateways will not receive exceptions with modified actions.

change-exception.png

Please share your experience with building threat prevention policies in R80. A lot of thought was put in simplifying the policy management process while signaling the differences in enforcement. We are very interested with your feedback.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events