This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan
Collaborator
‎2023-08-16 03:56 AM
Jump to solution

Different IPS profiles for different gateways

Hi,

 

We have two seperate gateways (let's call them fwext and fwint) which are managed by a single management machine.

Up until today we had IPS enabled only on gateway A (only IPS, no antibot, antivirus, etc....).

In Smart Console it was configured under Custom Policy as:

Source: Any

Destination: Any

Protection/Site/File/Blade: N/A

Services: Any

Action: Gateway_ext_Profile

Install on: fwext

 

We now want to enable it also on gateway fwint.

I created a new IPS Profile (set to Detect) for gateway B and set it like this:

Source: Specific networks
Destination: Any
Protection/Site/File/Blade: N/A
Services: Any
Action: Gateway_int_Profile
Install on: Gateway fwint

 

IPS.JPG

 

It looks like it's working, I see detection in the logs, BUT:

1. I also see detection which are not coming from the specific network defined.

2. I created exceptions for rule no. 2 but it doesn't have any affect on the traffic.

IPS2.JPG

We also have exceptions for rule no. 1 which works fine.

 

I'm having trouble understanding the topology and management of the IPS settings for different gateways, since it's basically a shared policy.

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2023-08-20 07:07 AM
In response to Jonathan
Jump to solution

The issues you are experiencing are related to your use of the legacy "IPS" layer.  This layer was intended to be used only by R77.30 and earlier gateways and will work with newer gateways, but is inappropriate for use with a gateway running R80.10+ or later.  This IPS layer reflects the inherent limitations in the IPS feature on R77.30 and earlier gateways; the IPS capabilities and management were significantly overhauled and unified with the rest of Threat Prevention in R80.10+.

You've already encountered one of those limitations: R77.30 and earlier gateways did not have "Inactive" as a possibility for an exception so while it will let you set that in the SmartConsole, you get Detect anyway.  That type of exception will work correctly once you get rid of the legacy IPS layer.   Check out the two threads below for the procedure, and I've also included the page from my R81.20 IPS/AV/ABOT Immersion self-guided video course discussing the legacy IPS layer.

Move IPS profile rules to Threat Prevention layer

Difference IPS and ThreatPrevention

ips_layer.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

(1)
5 Replies
PhoneBoy
Admin
Admin
‎2023-08-16 10:05 AM
Jump to solution

Actual log cards with sensitive details redacted would help, along with version/JHF of gateways and management.

0 Kudos
Jonathan
Collaborator
‎2023-08-16 10:27 PM
In response to PhoneBoy
Jump to solution

You're right, forgot to mention - R81.10,  JHF 66.

This traffic should have been ignored due to exception rule 2.3 from previous screenshot:

IPS3.JPG

 

And, according to the Source entries in Rule 2 in screenshots from previous post, the following traffic shouldn't have been detected, it's not originating from the source groups:

IPS4.JPG

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-17 08:21 AM
In response to Jonathan
Jump to solution

What does Matched Rules say in this case (other tab in the log cards)?

0 Kudos
Jonathan
Collaborator
‎2023-08-19 09:56 PM
In response to PhoneBoy
Jump to solution

So for both examples I gave, the Matched Rules says:

IPS6.JPG

The IPS profile I use is NOT Optimized, but I see that the Threat Prevention policy is set to Optimize.

Which now raises another question: How come Threat Prevention even works since we don't have these blades active at all (anti-bot,antivirus, etc...)

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-08-20 07:07 AM
In response to Jonathan
Jump to solution

The issues you are experiencing are related to your use of the legacy "IPS" layer.  This layer was intended to be used only by R77.30 and earlier gateways and will work with newer gateways, but is inappropriate for use with a gateway running R80.10+ or later.  This IPS layer reflects the inherent limitations in the IPS feature on R77.30 and earlier gateways; the IPS capabilities and management were significantly overhauled and unified with the rest of Threat Prevention in R80.10+.

You've already encountered one of those limitations: R77.30 and earlier gateways did not have "Inactive" as a possibility for an exception so while it will let you set that in the SmartConsole, you get Detect anyway.  That type of exception will work correctly once you get rid of the legacy IPS layer.   Check out the two threads below for the procedure, and I've also included the page from my R81.20 IPS/AV/ABOT Immersion self-guided video course discussing the legacy IPS layer.

Move IPS profile rules to Threat Prevention layer

Difference IPS and ThreatPrevention

ips_layer.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events