This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Collaborator
yesterday

IPS Core Protection

Hi All,

I have a question about the Threat Prevention custom policy, specifically the IPS protection section. For the core Protection, there are two options. For example, if you see Host Port Scan for each profile, the action is either "Accept" or "Inactive." However, for other core protections, such as HTTP URL pattern, there is an additional "Drop" option. What do the "Accept," "Inactive," and "Block" actions do, and why is the "Block" action added to some of the core protections?

Thanks,

0 Kudos
7 Replies
the_rock
Legend
Legend
yesterday

Hey bro,

Those are default IPS protections, regardless if you have IPS blade enabled or not. I would leave those as is, no need to change them, unless you are 100% positive exception needs to be added.

Andy

0 Kudos
PhoneBoy
Admin
Admin
yesterday

Because for some protections (like anything HTTP related) there is an active connection that gets terminated if they trigger and the “Block” action is specified.
For protections that don’t involve an active TCP/UDP connection, you won’t see a block action.

Inactive means the system does not try to look for it.
Accept means look for it but allow it (ie like a regular IPS protection in Detect mode).

0 Kudos
Ihenock1011
Collaborator
yesterday
In response to PhoneBoy

"Accept means look for it but allow it (ie like a regular IPS protection in Detect mode)"

Doesn't the IPS prevent in all conditions?

 
0 Kudos
the_rock
Legend
Legend
yesterday
In response to Ihenock1011

Definitely NOT.

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Ihenock1011

Btw, you can even examine optimized profile out of the box, which is what CP recommends anyway and bunch of protections are set to inactive/detect.

Andy

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to Ihenock1011

Depends on your Threat Prevention profile/configuration.
The Optimized profile (which is the default one) has several protections either Disabled or in Detect mode. 

0 Kudos
Ihenock1011
Collaborator
yesterday
In response to PhoneBoy

Sorry if I am making you bored. What exactly do I have to do, for example, to block HTTP URL patterns and host port scanning?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events