Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
VikingsFan
Collaborator
Jump to solution

Exceptions and N/A under Protection/Site/File/Blade

Looking into Exceptions for Threat Prevention.  We have a handful of exceptions under our profile and also Global Exceptions where it is N/A under the Protection/Site/File/Blade column.  I was told this is like the 'Any' in a security policy and it should cover everything.  I'm starting to question this as I'm looking at some logs.  Is this correct or do I need to select all the blades or maybe at minimum the IPS blade if that's what we're trying to exclude.

See attachments for examples.  Shows the NA field and also in our logs where I'm seeing detects for the source/destination that are in the exclusion.

exclusion.png

logs.png

0 Kudos
1 Solution

Accepted Solutions
VikingsFan
Collaborator

Just a final update on this... worked with TAC on the issue and the specific exclusion I was reviewing was not applying because it was a Host Port Scan core protection which doesn't have a Prevent and exclusions are ignored.  We applied the fix and the exclusions are working now: https://support.checkpoint.com/results/sk/sk103568

 

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin

Try macking explicit exceptions in the IPS policy for those sources and destinations, and see if it makes any difference. 

In any case, a port scan is a non-intrusive notification, no traffic is interrupted by this IPS detection.

0 Kudos
VikingsFan
Collaborator

Hi Val.  The screenshot of the detects was just an example and the real question is under the Threat Prevention>Exceptions area... if the exception is set to N/A under the 'Protection/Site/File/Blade' column, what is the result? I can't find any docs that explain what the outcome is when the rule is set this way.

So if I have an exception with a source, destination and services set to Action-Inactive but the Blade column is N/A does that mean all blades are covered or no blades and the rule is not doing anything?  And is there any documentation surrounding this?

0 Kudos
_Val_
Admin
Admin

Also, I could not find a reference where N/A would be used in Threat Prevention exception rules. You may want to re-check that.

0 Kudos
PhoneBoy
Admin
Admin

I believe it means "nothing matches" in the context pictured.
It certainly seems that way based on behavior 🙂
In which case, you should probably specify IPS (if that's what you're trying to exclude).

0 Kudos
VikingsFan
Collaborator

Just a final update on this... worked with TAC on the issue and the specific exclusion I was reviewing was not applying because it was a Host Port Scan core protection which doesn't have a Prevent and exclusions are ignored.  We applied the fix and the exclusions are working now: https://support.checkpoint.com/results/sk/sk103568

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events