This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VikingsFan
Collaborator
‎2024-08-15 11:49 AM
Jump to solution

Exceptions and N/A under Protection/Site/File/Blade

Looking into Exceptions for Threat Prevention.  We have a handful of exceptions under our profile and also Global Exceptions where it is N/A under the Protection/Site/File/Blade column.  I was told this is like the 'Any' in a security policy and it should cover everything.  I'm starting to question this as I'm looking at some logs.  Is this correct or do I need to select all the blades or maybe at minimum the IPS blade if that's what we're trying to exclude.

See attachments for examples.  Shows the NA field and also in our logs where I'm seeing detects for the source/destination that are in the exclusion.

exclusion.png

logs.png

Labels
0 Kudos
1 Solution

Accepted Solutions
VikingsFan
Collaborator
‎2024-08-27 02:45 PM
Jump to solution

Just a final update on this... worked with TAC on the issue and the specific exclusion I was reviewing was not applying because it was a Host Port Scan core protection which doesn't have a Prevent and exclusions are ignored.  We applied the fix and the exclusions are working now: https://support.checkpoint.com/results/sk/sk103568

 

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2024-08-19 12:23 AM
Jump to solution

Try macking explicit exceptions in the IPS policy for those sources and destinations, and see if it makes any difference. 

In any case, a port scan is a non-intrusive notification, no traffic is interrupted by this IPS detection.

0 Kudos
VikingsFan
Collaborator
‎2024-08-19 08:39 AM
In response to _Val_
Jump to solution

Hi Val.  The screenshot of the detects was just an example and the real question is under the Threat Prevention>Exceptions area... if the exception is set to N/A under the 'Protection/Site/File/Blade' column, what is the result? I can't find any docs that explain what the outcome is when the rule is set this way.

So if I have an exception with a source, destination and services set to Action-Inactive but the Blade column is N/A does that mean all blades are covered or no blades and the rule is not doing anything?  And is there any documentation surrounding this?

0 Kudos
_Val_
Admin
Admin
‎2024-08-19 12:31 AM
Jump to solution

Also, I could not find a reference where N/A would be used in Threat Prevention exception rules. You may want to re-check that.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-19 02:55 PM
Jump to solution

I believe it means "nothing matches" in the context pictured.
It certainly seems that way based on behavior 🙂
In which case, you should probably specify IPS (if that's what you're trying to exclude).

0 Kudos
VikingsFan
Collaborator
‎2024-08-27 02:45 PM
Jump to solution

Just a final update on this... worked with TAC on the issue and the specific exclusion I was reviewing was not applying because it was a Host Port Scan core protection which doesn't have a Prevent and exclusions are ignored.  We applied the fix and the exclusions are working now: https://support.checkpoint.com/results/sk/sk103568

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top