This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
‎2021-03-23 05:02 AM
Jump to solution

IPS Scope question.

I'm struggling to figure out IPS "Scope".

I note the following articles, but I'm still not clear...

https://community.checkpoint.com/t5/Threat-Prevention/Difference-between-quot-Protected-Scope-quot-a...


https://community.checkpoint.com/t5/Threat-Prevention/IPS-Exception-question/m-p/34967#M1068

I have traffic being prevented and want to add an exception. If I click on "Add exception" from the log card it puts the source IP in the "Scope" box and leaves the source and destination fields blank.

The exception does not work.

If I then manually create an exception, leave Scope empty and put the same IP in the Source field, then it works.

Can anyone explain why? And what the difference is?

(In case it makes any difference, Mgmt = R80.40 T77,  Gateway = R80.30 T215)

Thanks 🙂

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2021-03-23 08:15 AM
In response to biskit
Jump to solution

Yes, Protected Scope means any traffic to or from the IP address regardless of which way the connection was originally initiated.  In the context of Threat Prevention policies Protected Scope is definitely what you want to use (leave Source and Destination set to Any), since if a threat is detected we want to Prevent it regardless of direction.  In Access Control policies direction of connection initiation is much more important, so Source and/or Destination are used and Protected Scope doesn't exist in those policies.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

View solution in original post

4 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-03-23 06:50 AM
Jump to solution

Are you sure that your exception is not attempting to match both Protected Scope and/or Source/Destination in the same rule?  In a single TP rule (or exception) you should usually either populate Protected Scope and leave Source/Destination as Any, or leave Protected Scope as Any if utilizing Source and/or Destination.  Populating Protected Scope along with Source and/or Destination in the same TP rule/exception is not technically invalid, but can be somewhat confusing when trying to figure out what will match that TP rule/exception and what won't, as noted in my IPS Immersion video series.  This is why the Source and Destination columns are hidden by default in the standard Threat Prevention policy, thus encouraging you to just use Protected Scope.

If this didn't help, please post a screenshot of what you are trying to do.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
biskit
Advisor
‎2021-03-23 07:31 AM
In response to Timothy_Hall
Jump to solution

I've taken a closer look at what the customer had configured and complained about, and I think this is down to misconfiguration/typo's.

So does "Scope" basically mean anything either TO or FROM that object?  Hence making it valid to leave source & dest. empty (* any)?

Thanks 🙂

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-03-23 08:15 AM
In response to biskit
Jump to solution

Yes, Protected Scope means any traffic to or from the IP address regardless of which way the connection was originally initiated.  In the context of Threat Prevention policies Protected Scope is definitely what you want to use (leave Source and Destination set to Any), since if a threat is detected we want to Prevent it regardless of direction.  In Access Control policies direction of connection initiation is much more important, so Source and/or Destination are used and Protected Scope doesn't exist in those policies.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
biskit
Advisor
‎2021-03-23 08:18 AM
In response to Timothy_Hall
Jump to solution

Prefect, thanks @Timothy_Hall 😀

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events