How packet flow works inside the IPS blade..?

BeaconBits · ‎2019-05-18

Hello Everyone,

I am troubleshooting one of the issue that involve the IPS.

But I'm unable to understand the IPS behaviour in terms of packet flow inside the IPS blade.

Can anyone share the IPS structure in Checkpoint firewall?

The administrative document does not explain well instead of configuration.

Regards,

B

Danny · ‎2019-05-18

Nick_Doropoulos · ‎2019-05-18

Hi B,

I take it that you have already consulted the ATRG IPS document and that it has not provided you with the requested information.

Could you elaborate for us what is the exact problem you are facing please in case we can help?

Thanks.

Timothy_Hall · ‎2019-05-18

As far as IPS and its related features, it goes more or less like this in R80.10+:

1) Geo Policy Enforcement

2) Inspection Settings enforcement as part of Access Policy

3) Core Activations & ThreatCloud Protections early in the Threat Prevention policy

Please provide what problem you are looking to solve and the gateway version, as IPS is implemented quite differently in R77.30 and earlier.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Lari_Luoma · ‎2019-05-18

More technical, but still very simplified steps. Go ahead and read the IPS ATRG as recommended earlier.

Passive Streaming (PSL)
1. Re-ordering of packets
Unified Streaming and ASPII
1. US decides which parser will handle this traffic
2. ASPII decides which protections to run for this traffic
Protocol Parsers
1. Parse protocols for RFC compliance etc. and recognize contexts.
2. Inspection settings and core protections are executed here.
CMI
1. Receives contexts from parsers.
2. Executes relevant protections to traffic
3. Returns result to parsers

PhoneBoy · ‎2019-05-19

Are you a member of CheckMates?