Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lithin_Mathew
Contributor

Exclude Vulnerability Scanners from IPS Inspection

We are having multiple Vulnerability Scanners like Nessus and Tenable  in our Data Center which is performing continuous scans on our servers in DMZ, these scanners are placed in the Inside Zone and the traffic from these scanners pass through the Checkpoint.

Could anyone suggest the methods we have at present in Checkpoint to bypass these traffic from IPS Inspection as this will help to reduce the load on the firewall to a good extend.

  

0 Kudos
9 Replies
Timothy_Hall
Legend Legend
Legend

Yes, create what I call a "null" threat prevention profile with all five TP blades including IPS unchecked.  Create a rule at the top of your Threat Prevention policy layer specifying the scanning boxes in the Protected Scope, and apply the null profile in the Action of that rule.  Doing it this way instead of using a TP exception will make the traffic potentially eligible for full acceleration by SecureXL and substantially reduce load on the gateway.  If you have more than one Threat Prevention policy layer (not likely), the null profile rule will need to be at the top of all TP layers.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Cyber_Serge
Collaborator

I have similar issues and TAC walk me through the TP exception in the profile. However, several actions still got logged such as FTP bounce; definitely giving the null profile a try. thanks!

0 Kudos
Lithin_Mathew
Contributor

Thank you @Timothy_Hall  for this new method.

I never thought doing this would make the traffic eligible for acceleration by SecureXL, will surely try this out.

Also is there any SK or article you would recommend regarding how SecureXL works through IPS, especially when it passes through the TP Policy and TP Exception, it would be really helpful.

Thanks in advance.

0 Kudos
dehaasm
Collaborator

Hi Timothy we created this profile with blades disabled to allow a vulnerability scanner to pass without being blocked, however it is still being prevented, looking at the IPS logs it matches on profile No_protection_5c852822be90f306 is this a bug?

We created the so-called null profile named bypass on top in the TP rules with protected scope the vulnerability scanner server, so that should be correct. We use R81.10 take 66

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Have you tried using an Exception directly on the IPS protection? See example for Nessus Security Scanner:

2023-04-19 14_48_22-Add Exception.png

0 Kudos
Timothy_Hall
Legend Legend
Legend

Hmm I've set up a signature-based exception before similar to what Chris proposed for a security scanner and had it work.  However all this does is change the final decision (usually Inactive/Ignore instead of Protect) and the firewall still expends overhead looking for it.  Might be related to it hitting against the "No Protection" profile you are seeing which seems like a bug to me; a properly configured null profile should work to completely skip IPS inspection.  If it doesn't, try a blade-based exception as described in my Gateway Performance Optimization R81.20 course:

bladeexception1.pngbladeexception2.pngbladeexception3.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
_Val_
Admin
Admin

Add an exception to TP policy, that should do the trick

Lithin_Mathew
Contributor

Thank you everyone for your quick response.

@Jim_Valko , yes at present we have Exception Rule in place for Scanner IP's but it is configured for DETECT Mode, is this something you would consider a right approach or should I change it to INACTIVE.

Thanks in advance.

 

0 Kudos
PhoneBoy
Admin
Admin

Detect means it's still processing the traffic, just not dropping on it.
This means the performance impact could actually be worse than simply dropping the traffic.
Inactive is the more performant choice.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events