Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MattDunn
Advisor

IPS Scope question.

Jump to solution

I'm struggling to figure out IPS "Scope".

I note the following articles, but I'm still not clear...

https://community.checkpoint.com/t5/Threat-Prevention/Difference-between-quot-Protected-Scope-quot-a...


https://community.checkpoint.com/t5/Threat-Prevention/IPS-Exception-question/m-p/34967#M1068

I have traffic being prevented and want to add an exception. If I click on "Add exception" from the log card it puts the source IP in the "Scope" box and leaves the source and destination fields blank.

The exception does not work.

If I then manually create an exception, leave Scope empty and put the same IP in the Source field, then it works.

Can anyone explain why? And what the difference is?

(In case it makes any difference, Mgmt = R80.40 T77,  Gateway = R80.30 T215)

Thanks 🙂

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Yes, Protected Scope means any traffic to or from the IP address regardless of which way the connection was originally initiated.  In the context of Threat Prevention policies Protected Scope is definitely what you want to use (leave Source and Destination set to Any), since if a threat is detected we want to Prevent it regardless of direction.  In Access Control policies direction of connection initiation is much more important, so Source and/or Destination are used and Protected Scope doesn't exist in those policies.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

4 Replies
Timothy_Hall
Champion
Champion

Are you sure that your exception is not attempting to match both Protected Scope and/or Source/Destination in the same rule?  In a single TP rule (or exception) you should usually either populate Protected Scope and leave Source/Destination as Any, or leave Protected Scope as Any if utilizing Source and/or Destination.  Populating Protected Scope along with Source and/or Destination in the same TP rule/exception is not technically invalid, but can be somewhat confusing when trying to figure out what will match that TP rule/exception and what won't, as noted in my IPS Immersion video series.  This is why the Source and Destination columns are hidden by default in the standard Threat Prevention policy, thus encouraging you to just use Protected Scope.

If this didn't help, please post a screenshot of what you are trying to do.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
MattDunn
Advisor

I've taken a closer look at what the customer had configured and complained about, and I think this is down to misconfiguration/typo's.

So does "Scope" basically mean anything either TO or FROM that object?  Hence making it valid to leave source & dest. empty (* any)?

Thanks 🙂

0 Kudos
Timothy_Hall
Champion
Champion

Yes, Protected Scope means any traffic to or from the IP address regardless of which way the connection was originally initiated.  In the context of Threat Prevention policies Protected Scope is definitely what you want to use (leave Source and Destination set to Any), since if a threat is detected we want to Prevent it regardless of direction.  In Access Control policies direction of connection initiation is much more important, so Source and/or Destination are used and Protected Scope doesn't exist in those policies.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

MattDunn
Advisor

Prefect, thanks @Timothy_Hall 😀

0 Kudos