Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngeloP
Participant

CheckPoint IPS - Automatically Block IP when a specific signature is triggered

Hello,

 

I would like to ask if it's possible to set up a setting for specific Protections that allows to automatically block the IP that triggered a specific Protection, like for example for Scans - we would like to be able to automatically block IP's that triggered specific scanning signatures - as in adding them to a blacklist temporarily or until someone removes the ip from it, is that possible?

0 Kudos
1 Reply
Marcel_Gramalla
Advisor

If you have a SmartEvent license you can do that pretty easily. You have to create a Event definition with the Protection you want to trigger:

ips.JPG

In our case this was used for the Log4j issue. With the automatic reactions you can block the IP for a desired time (max. 4 weeks I believe).