This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_Painter
Participant
‎2017-08-29 05:39 AM
Jump to solution

Automating IPS

In short, it would be great if Check Point could interface with a vulnerability scanner to automatically configure IPS rules based off various parameters. Wishful thinking, perhaps?
 
For example, lets say anything with a CVSS of 1-4 is inactive, 5-7 is in detect, and 8-10 is protect. You could then run this against the Confidence and Performance Impact of the IPS rules. Say something is a CVSS of 9, Confidence of IPS rule is Low and Performance High, perhaps it will only be in detect mode and only apply to those machines that are vulnerable. Then, if you choose to override it yourself, you can. Over time, as updates are applied, IPS gets trimmed back automatically, and as new vulnerabilities are discovered, IPS also keeps up.  This would take things to that next level of enabling JUST what you need automatically.
 
Are there any products out there that do this, or has anyone tinkered with the API for this?
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2017-08-29 05:49 AM
Jump to solution

R80 and R80.10 provide IPS Tags for this behavior. Read more here: How does R80 assist in saving time handling activation of IPS protections? 

View solution in original post

0 Kudos
12 Replies
Tomer_Sole
Mentor
Mentor
‎2017-08-29 05:49 AM
Jump to solution

R80 and R80.10 provide IPS Tags for this behavior. Read more here: How does R80 assist in saving time handling activation of IPS protections? 

0 Kudos
Mike_Painter
Participant
‎2017-08-29 08:34 AM
In response to Tomer_Sole
Jump to solution

Not sure how I overlooked that, but this is helpful. I guess now the missing piece is tying this back to a vulnerability scanner, or somehow leveraging the API.

0 Kudos
Mike_Painter
Participant
‎2017-09-07 12:07 PM
In response to Tomer_Sole
Jump to solution

I'd like to point out there are roughly 1700 tags, but I receive an error when adding more than 32. So if you chose to automatically disable CVSS score of 1.0 - 2.9, that is 20 of the 32 available used up.

0 Kudos
Bobby_Brill
Explorer
‎2017-08-29 07:02 PM
Jump to solution

Have you looked at any orchestration tools such as Phantom?  We use this for other similar use cases.


Good luck,

Bobby



0 Kudos
Mike_Painter
Participant
‎2017-09-07 12:08 PM
In response to Bobby_Brill
Jump to solution

This is something I have been wanting to look into. Thank you!

0 Kudos
VCL001
Employee Alumnus
Employee Alumnus
‎2017-12-04 03:05 PM
Jump to solution

Tomer, is there an update to this thread post Mike's finding of the 32-tag limitation?

Manuel_Kuback
Contributor
‎2018-09-28 12:25 AM
In response to VCL001
Jump to solution

Tomer Sole‌ is there an update to the 32-tag limitation? Because this one still exists today!

0 Kudos
Mike_Painter
Participant
‎2019-02-12 08:19 AM
In response to Manuel_Kuback
Jump to solution

From CPX, if you are on R80.20M2 or R80.30, they now offer something called Smart Threat Profile. It will monitor your traffic and select the IPS that it thinks you need. You can then compare it to your existing policy to choose if you want to use it moving forward. I don't think it's GA yet but you can reach out to threat_smart_profile@checkpoint.com.

Manuel_Kuback
Contributor
‎2019-02-15 12:09 AM
In response to Mike_Painter
Jump to solution

Sounds interesting. I just reached out to the mail you provided. Let's see 🙂

I will also attend the CPX in Vienna. Looking forward to it!

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-15 03:49 PM
In response to Manuel_Kuback
Jump to solution

I believe we'll have a demo of it in the Technology Innovation area.

0 Kudos
Omer_Shliva
Employee Alumnus
Employee Alumnus
‎2019-02-16 04:03 AM
In response to PhoneBoy
Jump to solution

We'll be there.

Peter_Baumann
Contributor
‎2019-10-17 02:12 AM
In response to Manuel_Kuback
Jump to solution

Hi all,

I tested the limitation of 32 tags in IPS with R80.20 and R80.30 and it is still the same.

I also could not find any informations about "Smart Threat Profile" in R80.30. So I also asked now in the E-Mail threat_smart_profile@checkpoint.com for more information about it.

When I get updates I will post it here...

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events