Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Samphas1
Participant

Concerning on blades policy

Hi Team,

Could you explain log as below pictures?

Threat Policy.PNGThreat Policy-1.PNG

 

 

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee

We previously discussed similar here:

https://community.checkpoint.com/t5/General-Topics/Security-Logs/m-p/170421/emcs_t/S2h8ZW1haWx8bWVud...

What is different on the expanded / detailed log cards?

 

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant

Hi @Chris_Atkinson ,

I saw the logs are detected on anti-virus and anti-bot with the detect mode on High Risk Attacks Distinct attacks not prevented due to policy. 

0 Kudos
_Val_
Admin
Admin

These logs show you protections triggered by the traffic while being in Detect mode. Change them to Protect if this is what you want.

0 Kudos
Samphas1
Participant

In the detect mode mean Security Gateway allowed the connection into the environment. right ? And if we change from the detect to prevent mode what is will impact ?

0 Kudos
PhoneBoy
Admin
Admin

Yes, Detect means the traffic was allowed.
If you switch to Prevent, the traffic would be blocked.
The impact will depend on whether the traffic is actually malicious or legitimate (i.e. the detection is a false positive). 

0 Kudos
Samphas1
Participant

Hi @PhoneBoy ,

Could you please provide me guide where I can change that policy from Detect to Prevent action? And one more what is the recommendation and user experience (Detect or Prevent action)?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Per the previous thread there are a couple of methods.

Security Policies > Threat Prevention > Custom Policy 

1. Profile - Activation mode:

Activation mode.png

2. Specific protections (IPS): 

Custom Policy tools - IPS protections

IPS.png

Custom Policy tools - Protections (AV/AB)

Protections.png

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend

In addition to the great stuff Chris gave you, be aware that having AV/ABOT enforcement set to "Background" can cause a Detect to occur even if all relevant settings were configured to Prevent.  Here is the relevant text from my IPS/AV/ABOT Immersion course explaining why:

Note that if “Background” is set for Anti-Virus and/or Anti-Bot, it can result in situations where the reported action in the log is “Detect”, even though the relevant protection is set to “Prevent” in the applicable TP profile. This can occur when some unknown content is encountered by AV/ABOT, but because “Background” is set, the content is let through the firewall while the unknown data is sent off to the ThreatCloud for evaluation. If the ThreatCloud returns a “malicious” verdict, a log is created with an action of Detect (which is what really happened, but after-the-fact). Subsequent encounters with this content now known to be malicious will of course be dropped with a Prevent action and associated log. Further information: sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend

Some vendors use term "monitor", which is literally fancy term for "detect", nothing else, and as @PhoneBoy said it would be allowed and prevent would block the traffic.

Put it this way...I say same thing to any customer. If you are not sure or clear on what profile to use, just stick with optimized and modify it, so it only uses IPS, if you dont plan to use AV or AB blades.

It would simply save the profile as Optimized (clone) and then you right click on the threat prevention policy and select that profile (you can see example in my lab, I just gave it another name)

Andy

Screenshot_1.png

Screenshot_2.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events