Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor

IPS Core Protection

Hi All,

I have a question about the Threat Prevention custom policy, specifically the IPS protection section. For the core Protection, there are two options. For example, if you see Host Port Scan for each profile, the action is either "Accept" or "Inactive." However, for other core protections, such as HTTP URL pattern, there is an additional "Drop" option. What do the "Accept," "Inactive," and "Block" actions do, and why is the "Block" action added to some of the core protections?

Thanks,

0 Kudos
9 Replies
the_rock
Legend
Legend

Hey bro,

Those are default IPS protections, regardless if you have IPS blade enabled or not. I would leave those as is, no need to change them, unless you are 100% positive exception needs to be added.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Because for some protections (like anything HTTP related) there is an active connection that gets terminated if they trigger and the “Block” action is specified.
For protections that don’t involve an active TCP/UDP connection, you won’t see a block action.

Inactive means the system does not try to look for it.
Accept means look for it but allow it (ie like a regular IPS protection in Detect mode).

0 Kudos
Ihenock1011
Advisor

"Accept means look for it but allow it (ie like a regular IPS protection in Detect mode)"

Doesn't the IPS prevent in all conditions?

 
0 Kudos
the_rock
Legend
Legend

Definitely NOT.

0 Kudos
the_rock
Legend
Legend

Btw, you can even examine optimized profile out of the box, which is what CP recommends anyway and bunch of protections are set to inactive/detect.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Depends on your Threat Prevention profile/configuration.
The Optimized profile (which is the default one) has several protections either Disabled or in Detect mode. 

0 Kudos
Ihenock1011
Advisor

Sorry if I am making you bored. What exactly do I have to do, for example, to block HTTP URL patterns and host port scanning?

0 Kudos
the_rock
Legend
Legend

Check out the example, you just edit the given protection and change the action for the IPS profile you are using.

Andy

 

 

 

Screenshot_1.png

 

 

Screenshot_2.png

 

0 Kudos
PhoneBoy
Admin
Admin

For anything HTTP related, HTTPS Inspection is required to see the full URLs.
This is in addition to enabling the relevant protections and installing the Access Policy.

Portscans are a little more complicated: https://support.checkpoint.com/results/sk/sk110873 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events