Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Johannes_Schoen
Collaborator
Jump to solution

Difference IPS and ThreatPrevention

Hi Community,

I'm new to CP IPS and confused:
Within Threat Prevention Policy, we got to Policy Layers, Shared IPS and Threat Prevention.

In both you can configure IPS and the other blades.
What is the sense behind this? Will this be enforced as a security policy layer?
What is the naming difference for Check Point between IPS and Threat Prevention in this context?
What does happen, if I enable in IPS only IPS, but in Threat Prevention everything except IPS?
What does "protected scope" mean - is it a src, dst or both?
What is best practice?

The admin guides are not helpful.

Looking forward to your input

Best Regards
Johannes

0 Kudos
1 Solution

Accepted Solutions
Maik
Advisor

Hey,

 

I can absolutely relate to your confusion, especially since I started working with Check Point at the R80+ level.

 

"IPS" layer => is used to manage IPS on sub R80 gateways (at least one sub R80 gateway with the IPS blade enabled must exist on the related SMS in order to have this layer)

"Threat Prevention" layer =>  is used to manage the IPS on R80+ gateways

 

The difference lays in the detail; so for example the "protected scope" (or source/destination) settings that you mentioned are configured differently - depending on the actual layer, either IPS or Threat Prevention.

The newer Threat Prevention layer for R80+ gateways offers the possibility to set a protected scope for each rule/profile where only specific hosts or networks (etc...) can be mentioned. As you see this can end up in a quite granular filtering process when it comes to use a specific profile only for a very limited amount of devices in your network.

On the other hand, the older solution, configured via the "IPS" layer also offers columns as "source", "destination" or "proctecion/site/file/blade". The difference is that you are unable to configure anything in this place. If you want to achieve some sort of granularity you need to open the specific gateways for which the IPS traffic applied and select "IPS" => "Protection Scope". Here you can choose between "Protect internal hosts only" (hosts behind an interface declared as internal) or "perform IPS inspection on all traffic". That's everything which is possible. In addition to that you have more options with the "Threat Prevention" layer in general, also when it comes to the exceptions in place.

 

Also; if you are asking yourself what the difference is between "protected scope" and "source" or "destination"... its quite simple. While source or destination lets you specifiy whether a rule applies only from a specific host/network to a specific host/network the column protected scope does not care about the direction, and therefore applies this rule if the mentioned host is either the source or the destination of a specific connection.

 

PS: In general, the "Threat Prevention" layer for R80+ gateways offers much more flexibility when it comes to Threat Prevention configuration. This can also be seen in the track column, where pcap creation is possible - this does not work for R77 (IPS layer) gateways - at least not in the same place and with the same granularity. The same thing is present for exceptions.

 

If you are interested in the details I can recommend the "IPS Immersion Training" by @Timothy_Hall - you can buy the video course and documenatition on his web site. It definitely brings some light in the R80+ IPS configuration, and also gives you insights to the past.

 

 

View solution in original post

4 Replies
Maik
Advisor

Hey,

 

I can absolutely relate to your confusion, especially since I started working with Check Point at the R80+ level.

 

"IPS" layer => is used to manage IPS on sub R80 gateways (at least one sub R80 gateway with the IPS blade enabled must exist on the related SMS in order to have this layer)

"Threat Prevention" layer =>  is used to manage the IPS on R80+ gateways

 

The difference lays in the detail; so for example the "protected scope" (or source/destination) settings that you mentioned are configured differently - depending on the actual layer, either IPS or Threat Prevention.

The newer Threat Prevention layer for R80+ gateways offers the possibility to set a protected scope for each rule/profile where only specific hosts or networks (etc...) can be mentioned. As you see this can end up in a quite granular filtering process when it comes to use a specific profile only for a very limited amount of devices in your network.

On the other hand, the older solution, configured via the "IPS" layer also offers columns as "source", "destination" or "proctecion/site/file/blade". The difference is that you are unable to configure anything in this place. If you want to achieve some sort of granularity you need to open the specific gateways for which the IPS traffic applied and select "IPS" => "Protection Scope". Here you can choose between "Protect internal hosts only" (hosts behind an interface declared as internal) or "perform IPS inspection on all traffic". That's everything which is possible. In addition to that you have more options with the "Threat Prevention" layer in general, also when it comes to the exceptions in place.

 

Also; if you are asking yourself what the difference is between "protected scope" and "source" or "destination"... its quite simple. While source or destination lets you specifiy whether a rule applies only from a specific host/network to a specific host/network the column protected scope does not care about the direction, and therefore applies this rule if the mentioned host is either the source or the destination of a specific connection.

 

PS: In general, the "Threat Prevention" layer for R80+ gateways offers much more flexibility when it comes to Threat Prevention configuration. This can also be seen in the track column, where pcap creation is possible - this does not work for R77 (IPS layer) gateways - at least not in the same place and with the same granularity. The same thing is present for exceptions.

 

If you are interested in the details I can recommend the "IPS Immersion Training" by @Timothy_Hall - you can buy the video course and documenatition on his web site. It definitely brings some light in the R80+ IPS configuration, and also gives you insights to the past.

 

 

Johannes_Schoen
Collaborator
Many thanks for your response - now it's much clearer
0 Kudos
r1der
Advisor

Thanks, I started on R80.10, and was curious about this.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
 

Hi

The specific layer is for Security Gateways with IPS that are pre-R80.

When enabling IPS on such Security Gateway the following message is given:

IPS First TIme Activation.jpg

 

The Online Help states the following:

Threat Prevention Layers in Pre-R80 Gateways

In pre-R80 versions, the IPS Software Blade was not part of the Threat Prevention Policy, and was managed separately. In R80.xx versions, the IPS Software Blade is integrated into the Threat Prevention Policy.

When you upgrade SmartConsole to R80.xx from earlier versions, with some Security Gateways upgraded to R80.xx, and other Security Gateways remaining in previous versions:

  • For pre-R80 gateways with IPS and Threat Prevention Software Blades enabled, the policy is split into two parallel layers: IPS and Threat Prevention.

    To see which Security Gateway enforces which IPS profile, look at the Install On column in the IPS Layer.

  • R80.xx gateways are managed separately, based on the R80 or higher Policy Layers.

Best Practice - For better performance, we recommend that you use the Optimized profile when you upgrade to R80 or higher from earlier versions.

 

 

HTH

Tal

 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events