Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Doubt about Threat Prevention

Hello, everyone.

One doubt, the "Threat Prevention" solution, I understand, involves the "IPS, AntiBot, Antivirus" blades, is that correct?

I have this solution implemented in my Cluster Firewalls.
And currently we have generated a "report" in the SmartConsole, of the last 7 days, in which, we observe what I expose in the following image

TP.png

I understand that the above mentioned blades are doing their "job" of "blocking malicious activity", is that correct?

However, we note, according to the report generated, that there are 24 hosts that were infected.
Can this be the "responsibility" of the security blades?
Is it natural that the computer does not block 100% of all malicious activity?

What solution could be provided for those sites that have already been infected?


Greetings.

0 Kudos
10 Replies
Chris_Atkinson
Employee Employee
Employee

What is the configuration of your TP profile with regards to low confidence threats or those protections with a critical performance rating - detect or prevent?

Also Anti-bot can be considered a post infection technology in part since it looks for subsequent command & control communication implying in some cases that the host has already encountered a threat potentially through other means.

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor

Good morning,

Sorry for the delay.

These are the rules I have created at TP level.

And the profile that is applied in the rules.

IPS1.png

IPS.png

Could you comment me, how do you see the behavior of my rule, and if it would be advisable to "tune" it a little more?

Greetings.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Low confidence has some potential for false positives, did you check any such occurrence to confirm they were legitimate or otherwise?

Basically you should review these settings in the context of the specific (detect) log entries seen for your environment / traffic to determine what to tune.

Prevent is the most secure setting obviously 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Hey bro,

As Chris said, it also depends on how TP policy is configured.

Andy

0 Kudos
Matlu
Advisor

Hi, Buddy.

If for example, your profile for low risk threats is set, let's imagine in "detect" mode, and you decide to change it to "prevent" mode.

3, queries.

Does the Firewall, if you change from DETECT to PREVENT, increase its consumption of hardware resources, such as CPU/Memory?
Is it advisable to put everything in Prevent mode?
The reports generated in the SmartConsole, if everything is in Prevent, would not "show" me any infected host, right?

Thanks for the support as always. 🙂

0 Kudos
the_rock
Legend
Legend

Put it this way...when its in detect, that means everything is allowed. I would say, and this is even based on what TAC always recommends, its advisable to use optimized profile, unless you obviously need to make some exceptions.

What you posted for the rules seems fine to me.

As far as resources. logically, I would say that having prevent active would use little more resources, but it gives much better security.

Andy

0 Kudos
Matlu
Advisor

Is it advisable to "modify" the Activation Mode -> Low confidance to a "PREVENT" action?

This can guarantee 100% that the Firewall, and its blades, will block all "malicious traffic", and in the reports that are generated, it would no longer have an alert of "Infected Host"?

Greetings, 🙂

0 Kudos
PhoneBoy
Admin
Admin

A Low confidence protection has a high probability for false positives, which is why it is set to Detect mode by default.
Even if everything is set to prevent, if certain protections are activated, hosts will still show up on that list.
We really need to see the logs for one of the "infected" hosts to understand what's actually happening here.
Also recommend a TAC case in parallel: https://help.checkpoint.com 

0 Kudos
PhoneBoy
Admin
Admin

Detect and Prevent involve the same work except for the final action: drop or allow.
Which means there should be little to no difference in terms of CPU/Memory.
You might even see a slight improvement in these areas by moving to Prevent.

I'd say for the majority of customers, a good starting point would be to use the Optimized IPS profile and tune up/down from there depending on your environment and requirements. 

0 Kudos
PhoneBoy
Admin
Admin

It could be someone browsed (inadvertently) to a page that made have made a query that got flagged by one of the Threat Prevention blades.
You’d have to dig into the logs to see what the nature of the infections are.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events