This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Advisor
‎2024-07-23 01:10 AM

IPS Core Protection

Hi All,

I have a question about the Threat Prevention custom policy, specifically the IPS protection section. For the core Protection, there are two options. For example, if you see Host Port Scan for each profile, the action is either "Accept" or "Inactive." However, for other core protections, such as HTTP URL pattern, there is an additional "Drop" option. What do the "Accept," "Inactive," and "Block" actions do, and why is the "Block" action added to some of the core protections?

Thanks,

0 Kudos
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-07-23 06:04 AM

Hey bro,

Those are default IPS protections, regardless if you have IPS blade enabled or not. I would leave those as is, no need to change them, unless you are 100% positive exception needs to be added.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-23 06:27 AM

Because for some protections (like anything HTTP related) there is an active connection that gets terminated if they trigger and the “Block” action is specified.
For protections that don’t involve an active TCP/UDP connection, you won’t see a block action.

Inactive means the system does not try to look for it.
Accept means look for it but allow it (ie like a regular IPS protection in Detect mode).

0 Kudos
Ihenock1011
Advisor
‎2024-07-23 07:13 AM
In response to PhoneBoy

"Accept means look for it but allow it (ie like a regular IPS protection in Detect mode)"

Doesn't the IPS prevent in all conditions?

 
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-07-23 07:15 AM
In response to Ihenock1011

Definitely NOT.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-07-23 09:17 AM
In response to Ihenock1011

Btw, you can even examine optimized profile out of the box, which is what CP recommends anyway and bunch of protections are set to inactive/detect.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-23 11:28 AM
In response to Ihenock1011

Depends on your Threat Prevention profile/configuration.
The Optimized profile (which is the default one) has several protections either Disabled or in Detect mode. 

0 Kudos
Ihenock1011
Advisor
‎2024-07-23 09:45 PM
In response to PhoneBoy

Sorry if I am making you bored. What exactly do I have to do, for example, to block HTTP URL patterns and host port scanning?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-07-24 05:00 AM
In response to Ihenock1011

Check out the example, you just edit the given protection and change the action for the IPS profile you are using.

Andy

 

 

 

Screenshot_1.png

 

 

Screenshot_2.png

 

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-24 07:54 AM
In response to Ihenock1011

For anything HTTP related, HTTPS Inspection is required to see the full URLs.
This is in addition to enabling the relevant protections and installing the Access Policy.

Portscans are a little more complicated: https://support.checkpoint.com/results/sk/sk110873 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events