- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: Exclude Vulnerability Scanners from IPS Inspec...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exclude Vulnerability Scanners from IPS Inspection
We are having multiple Vulnerability Scanners like Nessus and Tenable in our Data Center which is performing continuous scans on our servers in DMZ, these scanners are placed in the Inside Zone and the traffic from these scanners pass through the Checkpoint.
Could anyone suggest the methods we have at present in Checkpoint to bypass these traffic from IPS Inspection as this will help to reduce the load on the firewall to a good extend.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, create what I call a "null" threat prevention profile with all five TP blades including IPS unchecked. Create a rule at the top of your Threat Prevention policy layer specifying the scanning boxes in the Protected Scope, and apply the null profile in the Action of that rule. Doing it this way instead of using a TP exception will make the traffic potentially eligible for full acceleration by SecureXL and substantially reduce load on the gateway. If you have more than one Threat Prevention policy layer (not likely), the null profile rule will need to be at the top of all TP layers.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have similar issues and TAC walk me through the TP exception in the profile. However, several actions still got logged such as FTP bounce; definitely giving the null profile a try. thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @Timothy_Hall for this new method.
I never thought doing this would make the traffic eligible for acceleration by SecureXL, will surely try this out.
Also is there any SK or article you would recommend regarding how SecureXL works through IPS, especially when it passes through the TP Policy and TP Exception, it would be really helpful.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Timothy we created this profile with blades disabled to allow a vulnerability scanner to pass without being blocked, however it is still being prevented, looking at the IPS logs it matches on profile No_protection_5c852822be90f306 is this a bug?
We created the so-called null profile named bypass on top in the TP rules with protected scope the vulnerability scanner server, so that should be correct. We use R81.10 take 66
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried using an Exception directly on the IPS protection? See example for Nessus Security Scanner:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm I've set up a signature-based exception before similar to what Chris proposed for a security scanner and had it work. However all this does is change the final decision (usually Inactive/Ignore instead of Protect) and the firewall still expends overhead looking for it. Might be related to it hitting against the "No Protection" profile you are seeing which seems like a bug to me; a properly configured null profile should work to completely skip IPS inspection. If it doesn't, try a blade-based exception as described in my Gateway Performance Optimization R81.20 course:
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add an exception to TP policy, that should do the trick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you everyone for your quick response.
@Jim_Valko , yes at present we have Exception Rule in place for Scanner IP's but it is configured for DETECT Mode, is this something you would consider a right approach or should I change it to INACTIVE.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Detect means it's still processing the traffic, just not dropping on it.
This means the performance impact could actually be worse than simply dropping the traffic.
Inactive is the more performant choice.