- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Gateway properties - IPS - Does changing this sett...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gateway properties - IPS - Does changing this setting take precedence over everything IPS related?
Hi Team,
Gateway Cluster Properties page: The IPS tab--> Activation Mode --> According to Threat Prevention policy or Detect only modes.
Does this setting take precedence to all the IPS configuration (inactive, detect, prevent) of signatures? Where is this setting described in the R80.30 Documentation?
Cheers!
- Labels:
-
IPS
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It uses the configuration as follows: inactive is still inactive, detect stays detect (and is no good anyway, as it costs the same resources as prevent, but without much gain), and prevent gets changed to detect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Gunter says setting "Detect Only" temporarily causes IPS protections set to Prevent to act like Detect. As mentioned in my IPS Immersion series this function was called "Troubleshooting Mode" in R77.30 and earlier, and may still be referred to by that name in some places.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can find the information here: Threat Prevention R80.30 Administration Guide (checkpoint.com)
It actually only mentiones Anti-Bot and Anti-Virus but it's the same with IPS. When choosing "Detect Only" nothing is blocked but only logged and according to policy is obviously blocking traffic if you have configured it properly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that's the issue> I can't find any related info on the IPS settings. There are many settings on that page also
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Gunter says setting "Detect Only" temporarily causes IPS protections set to Prevent to act like Detect. As mentioned in my IPS Immersion series this function was called "Troubleshooting Mode" in R77.30 and earlier, and may still be referred to by that name in some places.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It uses the configuration as follows: inactive is still inactive, detect stays detect (and is no good anyway, as it costs the same resources as prevent, but without much gain), and prevent gets changed to detect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you G_W. Sounds like Threat Emulation setting to Detect does the same thing here.
@ Marcel - The settings for Anti-Virus and Anti-Bot aren't on this page and I per G_W what he mentions makes sense as far as the Firewall properties settings are concerned. CP has settings everywhere for everything and not very intuitional. I would say for majority common administrators this becomes a major headache unless you have a dedicated team of pros, tons of money for TAC and a forgiving workplace.