This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
‎2019-06-06 05:58 AM
Jump to solution

IPS confusion

Hello,

Is somebody able to clear up some confusion over how IPS works please?

Customer has IPS enabled, using the "Recommended_Profile".

The policy is set to prevent most stuff.

Capture.PNG

 

 

 

 

 

 

 

 

 

 

Capture.PNG

 

 

 

 

 

 

 

 

 

When I look at the list of protections, under the "Recommended_Protection" column, the vast majority of protections are set to Prevent, either natively or from manual override.  There are a small bunch set to detect, and a small bunch as Inactive.

When I go to Logs & Monitor > General Overview, I see this:

Capture.PNG

 

 

 

 

 

 

 

 

 

 

 

Notice that the pie chart shows 94% as Detect, and only 6% at Prevent.

Notice also that the "Critical Attacks Allowed by Policy" box shows (I think?) that a number of critical severity attacks have been allowed to happen.

Now let's take one of them as an example...  "SQL Servers UNION Query-based SQL Injection" has apparently been allowed to happen.  But if I check the actual protection, it is set to Prevent.  This is correct according to the policy as it matches all of the performance, severity and confidence criteria to be automatically set to Prevent.

Capture.PNG

 

 

 

So what's going on?

Why does the General Overview page seem to be so wildly different and wrong compared to what is configured in the policy?  Why for example does it report that SQL UNION attack as being allowed according to the policy, when the actual policy states it is set to Prevent?  And why is the pie chart showing do much Detect when in reality very few protections are set in Detect mode?

I presume there's an easy explanation that I'm not aware of?

Thanks,

Matt

 

 

 

 

 

 

 

 

 

1 Solution

Accepted Solutions
biskit
Advisor
‎2019-06-13 08:34 AM
In response to Alon_Alapi
Jump to solution

Quick update on the issue.  I had a very helpful remote session with @Alon_Alapi and he found the problem...  There was an exception for Any Any Detect.  I can't explain how that got there, but at least that likely explains the discrepancy between the protection settings and the Overview pie chart.  We got to this via the Rule ID link in the log card.

In this case, it's Exception rule E-1.7 below (which has now been deleted).  

Lesson - check for IPS exceptions!

Untitled.png

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2019-06-09 04:55 PM
Jump to solution

The recommended profile is from R77.x but you're clearly showing R80.x screenshots from the management.
Are the gateways in question R77.x?
Have you looked at the actual log entries generated by these protections?
Murad_Elmgbar
Contributor
‎2019-06-09 05:08 PM
In response to PhoneBoy
Jump to solution

Look in IPS logs it will show all Prevent/Detect, SECURITY POLICY-->Threat Prevention--> IPS--> Logs.

IPS.JPG

The pic you posted showing threat prevension report, it could be because you recently change the CVE to prevent, and it's display the detect before the change applied. but in IPS Logs you will see if still in detect or prevent.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-06-09 06:59 PM
Jump to solution

Please provide the full log card for the "SQL Servers UNION Query-based SQL Injection" attack.  It is difficult to say what is happening otherwise, it could be an exception, that signature could be in staging mode, the IPS properties on the gateway are set to "Detect Only" instead of "According to Threat Prevention Policy", or you have some other signature falsing constantly that is set to Detect and it is skewing the pie chart.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Alon_Alapi
Employee Alumnus
Employee Alumnus
‎2019-06-10 05:31 AM
In response to Timothy_Hall
Jump to solution

Hi Matt,

I am a group manager in R&D responsible of Access and Threat Prevention management.

I would like to follow up on this, can you please email me to: alonal@checkpoint.com so we can continue this offline?

Thank you,

Alon Alapi

 

0 Kudos
biskit
Advisor
‎2019-06-13 08:34 AM
In response to Alon_Alapi
Jump to solution

Quick update on the issue.  I had a very helpful remote session with @Alon_Alapi and he found the problem...  There was an exception for Any Any Detect.  I can't explain how that got there, but at least that likely explains the discrepancy between the protection settings and the Overview pie chart.  We got to this via the Rule ID link in the log card.

In this case, it's Exception rule E-1.7 below (which has now been deleted).  

Lesson - check for IPS exceptions!

Untitled.png

PhoneBoy
Admin
Admin
‎2019-06-13 10:45 AM
In response to biskit
Jump to solution

Glad we were able to get to the bottom of it.
biskit
Advisor
‎2019-06-25 01:55 AM
In response to PhoneBoy
Jump to solution

Following on from my recent IPS query, I have another similar one...  I've noticed for one customer in the log General view, the pie chart again shows mostly "Detect" with only a little bit of "Prevent".  The table next to it shows a number of critical attacks allowed by the policy.

So the first thing I checked is the Exceptions.

There are a couple.  Rule 6 in the screenshot below is the basis of my question.  I have a /24 network object in the "Protected Scope" box, and Source is Any.  

What will this rule do?
How is "Protected Scope" different to "Source"? 
Will rule 6 only apply to traffic from/to the specified /24 network?

Untitled.png

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-25 11:55 AM
In response to biskit
Jump to solution

You are correct.
Protected Scope basically takes the place of two rules:
1. Source "Protected Scope" Destination "Any"
2. Source "Any" Destination "Protected Scope"
Timothy_Hall
Legend Legend
Legend
‎2019-06-26 02:04 PM
In response to biskit
Jump to solution

Another way to look at "Protected Scope" is that when an object like a network is placed there, any traffic going into or out of that network will match the rule regardless of which way the connection was originally initiated.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events