This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
‎2021-03-23 05:12 AM
Jump to solution

IPS Prevent Email Alerts

Does anyone know if it's possible to set mail alerts on IPS Prevents?

I know you can set alerts in the Track dropdown on individual protections...

But what I need to to set mail alerts on any and all Prevents that happen from or to certain IP addresses.  We don't know ahead of time which protections will be triggered.  We just need to know straight away if a specific IP is involved in any "Prevent" action, without sitting in front of the logs hitting refresh 24x7.  Is this possible somehow?

Thanks 🙂

(1)
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2021-03-23 06:39 AM
Jump to solution

Assuming you are using gateways running at least R80.10, yes.  Set up a rule at the top of your TP  policy as shown below, with the offending IP address in the Protected Scope and the Track field including the Mail alert.  The built-in Strict profile prevents just about everything and would probably work well here, or you could clone the Strict policy and enable every possible signature in Prevent mode if you want, even signatures with Performance Impact rating of Critical which are only enabled manually by an Administrator.  Be sure to set up and test the mail alert as shown here: sk25941: Configuring 'Mail Alerts' using 'internal_sendmail' command

My IPS Immersion self-guided video series covers topics such as this in detail.

tp+alert.png

 

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

2 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-03-23 06:39 AM
Jump to solution

Assuming you are using gateways running at least R80.10, yes.  Set up a rule at the top of your TP  policy as shown below, with the offending IP address in the Protected Scope and the Track field including the Mail alert.  The built-in Strict profile prevents just about everything and would probably work well here, or you could clone the Strict policy and enable every possible signature in Prevent mode if you want, even signatures with Performance Impact rating of Critical which are only enabled manually by an Administrator.  Be sure to set up and test the mail alert as shown here: sk25941: Configuring 'Mail Alerts' using 'internal_sendmail' command

My IPS Immersion self-guided video series covers topics such as this in detail.

tp+alert.png

 

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
biskit
Advisor
‎2021-03-23 07:18 AM
In response to Timothy_Hall
Jump to solution

Thanks @Timothy_Hall .  You guided me to the missing thing....  I just didn't have the "Track" column showing!  Doh.  More caffeine needed 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events