This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
OrkhanRustamli
Participant
‎2020-03-27 03:19 AM

IPS Rule Threat Prevalence

Hi All,

I have one customer CP where in Threat Profiles-> IPS Advanced Section Threat Prevalence with Rare and Absolute tags are set to inactive. I wonder what is meaning of Threat Prevalence tags as I couldn`t find any information about them. The only thing I got that Rare tag is for Low Confidence and based on that I assumed Absolute must be Confidence High, but High Confidences are not all inactive.

Thanks in advance!

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-03-27 07:54 AM

My interpretation is that Threat Prevalence is how relevant the particular threat is to a typical environment today.  A Threat Prevalence of Obsolete probably indicates that the threat is against obsolete systems and applications (think Windows NT, Windows XP, etc. - essentially software that has not been supported in a VERY long time).  As mentioned in my IPS Immersion Class, these Additional Activations will never forcibly reactivate a protection that does not meet the current Confidence, Performance Impact, & Severity criteria for the IPS profile.  As such the "Protections to Activate" Window is not generally very useful.  However the "Protections to Deactivate" window CAN be useful, as it can deactivate numerous protections that currently meet the three criteria but are not relevant to your environment at all, and save the firewall overhead associated with looking for matches on those signatures.

If you'd like to see for yourself which IPS Protections are tagged with the "Obsolete" designation you can search for them as shown in this screenshot which shows a protection that dates from 1999:

obsolete.jpg

 

ips_additional.jpg

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
(1)
Don_Paterson
Advisor
Advisor
‎2025-04-24 12:26 PM
In response to Timothy_Hall

Hi Tim,

Livening up this thread (5 years down the track) because I am looking into this at the moment.

The admin guide confirms what you have shared.

It seems to me like they really should update that part of the SmartConsole because the wording gives a false impression that the customer is actually enabling protections in a way that overrides the Profiles General Policy.

That makes it seem pointless..

 

I've left feedback on the admin guide to clear up the term "activation mode thresholds" because it does not match anything else in the documentation or SmartConsole.

References below.

If a customer wants to guarantee that a vendor that they use is protected by CP IPS (virtual patching) is the solution to avoid "Protections to activate" and instead search for the vendor in the IPS protections, do the research on each protection, and then activate/override accordingly (based on Profile settings?

For example, if I chose VMware and found an IPS protection is inactive in a relevant profile and it is matches a deployed product on site, then I would want to do an  override to activate is for the relevant profile.

 

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

"These categories only filter out or add protections that comply with the activation mode thresholds (Confidence, Severity, Performance).

For example, if a protection is inactive because of its Performance rating, it is not enabled even if its category is in Protections to activate."

 

 

the_rock
Legend
Legend
‎2025-04-24 07:44 PM
In response to Don_Paterson

I had couple of customers tell me it would be nice to be able to auto activate needed protections if deemed so by the vendor.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events