This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NeilDavey
Collaborator
‎2020-02-19 02:25 AM
Jump to solution

IPS Updates for Optimized Profile

I have started to use the Optimized Profile for my IPS, however I have noticed protections that should be enabled according to the Check Point IPS Update email, yet its actually inactive.

Please see example.

Advantech WebAccess SCADA Stack-based Buffer Overflow
(CVE‑2019‑3975: CVE‑2019‑3951) should be set as activated but has not been.

Anyone know why this would be case and how I could fix this?

 

 

Preview file
58 KB
Preview file
17 KB
0 Kudos
1 Solution

Accepted Solutions
NeilDavey
Collaborator
‎2020-02-24 11:34 PM
In response to NeilDavey
Jump to solution

Thought I would reply with the the reply from TAC incase anyone was interested:

This is indeed the thing I was planning to check on the Protections. Optimized profile does not automatically enable Protection under "Product Prevalence - Scarce", only Common, as to not impact Firewall productivity with a load.
"Strict" Profile is the one that has all protection enabled by default.
You can either switch to Strict profile or re-configure Optimized profile (by cloning it).

I also raised the question about why on the IPS News Emails sometimes the Protections are ticked or not next to the relevant Protection/Profile and this was the reason:

I reached people responsible for this email feed, and the 'tick' on the Profile does not mean the Protection is enabled by default - those configurations are to be done by user on SmarConsole. Note that "tick' is also on Basic Profile, which has less amount of Prevent by default.
As to what 'tick' means exactly, unfortunately I cannot say.

Hope this helps anyone else if they were interested.

 

View solution in original post

6 Replies
Martin_Valenta
Advisor
‎2020-02-19 04:56 AM
Jump to solution

New protections are not included right after they have been announced.

Try to check on Profile if IPS > Updates is set to Active or not for "Newly Updated protections"

 

Preview file
15 KB
0 Kudos
NeilDavey
Collaborator
‎2020-02-19 05:01 AM
In response to Martin_Valenta
Jump to solution

Thanks for the comment but that's not the case.

My setting is the same as yours:

Newly downloaded protections will be set to - Active - According to profile settings

From my screenshots, the other 2 IPS protections are set according to the policy but one of them isn't.

Looking at the 2 High ones, 1 is set and 1 isn't.  They are the same on Performance Impact, Severity and Confidence Level so they should both be set as Active but my policy decides to leave one as inactive and I can't see a reason why.

I have others as well but only raised this now to see if anyone else can see a reason as to why.

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-02-19 05:38 AM
In response to NeilDavey
Jump to solution

I would ask TAC for an explanation !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Shiran_Gold
Employee
Employee
‎2020-02-20 12:25 PM
Jump to solution

Hey,

 

This protection is not a part of Optimized profile as it does not have "Product Prevalence: Common" tag.

optimized.PNG

 

 

 

 

 

Thanks

Shiran

NeilDavey
Collaborator
‎2020-02-20 11:18 PM
In response to Shiran_Gold
Jump to solution

Thanks for the suggestion.

I have a TAC call open now and have sent some screenshots for investigation.

However, this wouldn't make sense to me if it is the the case. The IPS News emails, state the Protection Name and whether it is enabled on the relevant R80 Profile (Optimized or Strict).

If it has a tick next to it on the email notification then it should be enabled on IPS for Check Point as this is a builtin profile that cannot be changed.

If its because of the Protection not having (Product Prevalence - Common) on the protection , then it shouldn't say enabled on the IPS emails.

I will see what TAC suggest on this.
0 Kudos
NeilDavey
Collaborator
‎2020-02-24 11:34 PM
In response to NeilDavey
Jump to solution

Thought I would reply with the the reply from TAC incase anyone was interested:

This is indeed the thing I was planning to check on the Protections. Optimized profile does not automatically enable Protection under "Product Prevalence - Scarce", only Common, as to not impact Firewall productivity with a load.
"Strict" Profile is the one that has all protection enabled by default.
You can either switch to Strict profile or re-configure Optimized profile (by cloning it).

I also raised the question about why on the IPS News Emails sometimes the Protections are ticked or not next to the relevant Protection/Profile and this was the reason:

I reached people responsible for this email feed, and the 'tick' on the Profile does not mean the Protection is enabled by default - those configurations are to be done by user on SmarConsole. Note that "tick' is also on Basic Profile, which has less amount of Prevent by default.
As to what 'tick' means exactly, unfortunately I cannot say.

Hope this helps anyone else if they were interested.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events