Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS Signatures best practices

Dear CheckMates,
I am a senior security analyst and have given the Task of reviewing the IPS Signatures in our organization. We are using a Checkpoint IPS/Firewall versions R77.30 and R80.10. Out of the total 10,000 plus signatures currently only 1000 plus signatures are in detect or prevent mode and the rest are inactive. Is there any best practices which I can refer to to decide which signatures to set to monitor or which ones to prevent. Any Standard operating procedures.

I proposed that for better visibility so enable all the signature to monitoring mode as this traffic is also captured in SIEM tool. Now I have been asked to filter the IPS signatures based on port so that we can enable only those ports open by Firewall to Monitoring mode and the rest can be Inactive. Is there any way by which I can filter the IPS signatures based on Port numbers. Any help or explanation is much appreciated. 

Thanks and regards

Mohammed Anis Ismail

0 Kudos
2 Replies
Legend Legend

For your first question, you will need to get most of those IPS protections into at least Detect to figure out which ones you actually need.  Check out the TailoredSafe tool here which can be very helpful:

For your second query, IPS protections don't directly care about port numbers and are usually looking for exploits in certain protocols, which typically have "native" port numbers they use.  The closest you can get to what you want is to expose the Protocol column for the IPS signatures as shown here:




The IPS blade and its configuration can look pretty daunting which is why I released my IPS Immersion Video Series that is 8 hours of nothing but the IPS blade and how best to work with it.  Check Point has a healthy amount of good reference documentation for IPS, but not a lot of "how-to" and day-to-day operational guides.


Gateway Performance Optimization R81.20 Course
now available at

Thank you for the Reply Tim,
I will try to follow the steps to enable protocol in the report.

In the TailoredSafe tool , what I can understand is that by default all the signatures should be in Detect mode. Then there are several methods to decide which ones to set to prevent mode. Am I correct?

Is there any signature we can set as inactive because its obsolete , or the last update date is too long ?

Last month we tried to change about 700 signatures to detect mode and we got performance issues.
Lets say , If I want to stage all the 10,000 plus signature to Detect mode , which is the ideal situation , is there any minimum system requirements for this.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events