This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lithin_Mathew
Contributor
‎2020-09-25 06:15 AM

Exclude Vulnerability Scanners from IPS Inspection

We are having multiple Vulnerability Scanners like Nessus and Tenable  in our Data Center which is performing continuous scans on our servers in DMZ, these scanners are placed in the Inside Zone and the traffic from these scanners pass through the Checkpoint.

Could anyone suggest the methods we have at present in Checkpoint to bypass these traffic from IPS Inspection as this will help to reduce the load on the firewall to a good extend.

  

0 Kudos
9 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-09-25 06:23 AM

Yes, create what I call a "null" threat prevention profile with all five TP blades including IPS unchecked.  Create a rule at the top of your Threat Prevention policy layer specifying the scanning boxes in the Protected Scope, and apply the null profile in the Action of that rule.  Doing it this way instead of using a TP exception will make the traffic potentially eligible for full acceleration by SecureXL and substantially reduce load on the gateway.  If you have more than one Threat Prevention policy layer (not likely), the null profile rule will need to be at the top of all TP layers.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Cyber_Serge
Collaborator
‎2020-09-25 06:38 PM
In response to Timothy_Hall

I have similar issues and TAC walk me through the TP exception in the profile. However, several actions still got logged such as FTP bounce; definitely giving the null profile a try. thanks!

0 Kudos
Lithin_Mathew
Contributor
‎2020-09-25 07:15 PM
In response to Timothy_Hall

Thank you @Timothy_Hall  for this new method.

I never thought doing this would make the traffic eligible for acceleration by SecureXL, will surely try this out.

Also is there any SK or article you would recommend regarding how SecureXL works through IPS, especially when it passes through the TP Policy and TP Exception, it would be really helpful.

Thanks in advance.

0 Kudos
dehaasm
Collaborator
‎2023-04-19 04:43 AM
In response to Timothy_Hall

Hi Timothy we created this profile with blades disabled to allow a vulnerability scanner to pass without being blocked, however it is still being prevented, looking at the IPS logs it matches on profile No_protection_5c852822be90f306 is this a bug?

We created the so-called null profile named bypass on top in the TP rules with protected scope the vulnerability scanner server, so that should be correct. We use R81.10 take 66

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-04-19 04:49 AM
In response to dehaasm

Have you tried using an Exception directly on the IPS protection? See example for Nessus Security Scanner:

2023-04-19 14_48_22-Add Exception.png

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-04-19 06:47 AM
In response to dehaasm

Hmm I've set up a signature-based exception before similar to what Chris proposed for a security scanner and had it work.  However all this does is change the final decision (usually Inactive/Ignore instead of Protect) and the firewall still expends overhead looking for it.  Might be related to it hitting against the "No Protection" profile you are seeing which seems like a bug to me; a properly configured null profile should work to completely skip IPS inspection.  If it doesn't, try a blade-based exception as described in my Gateway Performance Optimization R81.20 course:

bladeexception1.pngbladeexception2.pngbladeexception3.png

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
_Val_
Admin
Admin
‎2020-09-25 12:22 PM

Add an exception to TP policy, that should do the trick

Lithin_Mathew
Contributor
‎2020-09-25 07:09 PM
In response to _Val_

Thank you everyone for your quick response.

@Jim_Valko , yes at present we have Exception Rule in place for Scanner IP's but it is configured for DETECT Mode, is this something you would consider a right approach or should I change it to INACTIVE.

Thanks in advance.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-27 09:20 PM
In response to Lithin_Mathew

Detect means it's still processing the traffic, just not dropping on it.
This means the performance impact could actually be worse than simply dropping the traffic.
Inactive is the more performant choice.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events