This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruben_Starkovsk
Explorer
‎2018-06-08 06:42 AM
Jump to solution

Difference between "Protected Scope" and "Destination"

Whats the difference between "Destination" and "Protected Scope" in the Threat Prevention policy and Global Exception rules and when would you use either?

0 Kudos
2 Solutions

Accepted Solutions
Daniel_Taney
Advisor
‎2018-06-08 09:30 AM
Jump to solution

I believe "Protected Scope" is used in the Threat Prevention policy to designate an entity that you want protected (i.e. a single host, group of hosts, network, etc...). It is my understanding that this applies the protections in the policy to those nodes whether the malicious traffic is inbound or outbound. 

Whereas "Destination" would only apply the rule to traffic headed outbound. 

R80 CCSA / CCSE

View solution in original post

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-11-18 06:53 AM
In response to cosmos
Jump to solution

Protected Scope means match/scan all traffic going to/from this object regardless of which way the connection was originally initiated, as generally we don't care about "directionality" for the process of Threat Prevention.  We most certainly do care about that in Access Control policies.

If however the hidden Threat Prevention Source/Destination policy fields are exposed then populated (they both default to Any), you are implying directionality for what you want to scan.  So if in your TP policy Source is "net1", Destination is Any, and Protected Scope is Any, only connections initiated from net1 and the replies will match that rule and be scanned via the associated profile.  Connections initiated from outside net1 into it will not match that TP rule at all for traffic in both directions.

I got this question a lot in various classes so here is the coverage of this topic from my 2021 IPS/AV/ABOT Video Series class:

tp_src_dst.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
4 Replies
Daniel_Taney
Advisor
‎2018-06-08 09:30 AM
Jump to solution

I believe "Protected Scope" is used in the Threat Prevention policy to designate an entity that you want protected (i.e. a single host, group of hosts, network, etc...). It is my understanding that this applies the protections in the policy to those nodes whether the malicious traffic is inbound or outbound. 

Whereas "Destination" would only apply the rule to traffic headed outbound. 

R80 CCSA / CCSE
0 Kudos
cosmos
Advisor
‎2021-11-18 12:33 AM
In response to Daniel_Taney
Jump to solution

I would like to know what the official answer is from Check Point.... anyone?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-11-18 06:53 AM
In response to cosmos
Jump to solution

Protected Scope means match/scan all traffic going to/from this object regardless of which way the connection was originally initiated, as generally we don't care about "directionality" for the process of Threat Prevention.  We most certainly do care about that in Access Control policies.

If however the hidden Threat Prevention Source/Destination policy fields are exposed then populated (they both default to Any), you are implying directionality for what you want to scan.  So if in your TP policy Source is "net1", Destination is Any, and Protected Scope is Any, only connections initiated from net1 and the replies will match that rule and be scanned via the associated profile.  Connections initiated from outside net1 into it will not match that TP rule at all for traffic in both directions.

I got this question a lot in various classes so here is the coverage of this topic from my 2021 IPS/AV/ABOT Video Series class:

tp_src_dst.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Thomas_Eichelbu
Advisor
Advisor
5 hours ago
In response to Timothy_Hall
Jump to solution

Hello Team!

iam not sure if it best practice to open follow up question to very old posts, anyway.

Protected Scope vs SRC and DST in the TP Rulebase.
Does it have any Peformance implications?


currently iam working on a performace issue, CIFS traffic over 100Mbit line.
mostly we achieve 100Mbits throughout, sometimes not.


we have enabled all blades.

enabled_blades
fw vpn cvpn urlf av appi ips SSL_INSPECT anti_bot content_awareness mon zero_phishing

ISP redundancy is enabled
-> kills SXL

Zones are enabled on all interfaces
-> Kills SXL Templating

TP Profile with AV Deep and and even Archive Scan.
This are all settings which negatively affects SXL
ISP Redundancy sets all my traffic in slow path, but i think VPN is not affected by ISP Redundacy, at least i dont see any  VPN connections is slow path (checked with fw tab -t connections -z) 

we need to test more, but i think settings a policy with Protected Scope does alot harm for performance instead of using SRC & DST. Of Course when using SRC and DST and can narrow down on true use case.

so what is your performance related experiance Protected Scope VS SRC & DST policies?
second:
Protected Scope in the profile:
(Yes we enabled all blades and all functions, because We Secure The Internet and pay for it!)
setting Inspect incoming files from the following interface to ALL and Inspect incoming and outgoing  file is almost equel expect the outgoing part. but i think this settings kicks our performace down, even compared to Deep & Archive Scan.
also our TP Policy is based on SRC & DST and not on Protected Scope. Does this mess up somehow with the profile?

9.PNG

my impression is, when using Protected Scope it is slower, SRC & DST makes it faster.
but we need more tests to give it a clear picture.

Software is always the latest and greatest, R81.20 HFA84
3600 (100Mbit line)  and 3800 (300Mbit line) appliances

Any ideas?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events