This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cem82
Contributor
‎2022-10-31 10:19 PM
Jump to solution

IPS detect logs only after enabling anti bot blade

Hi
Initially we only had IPS blade enabled and were not getting logs for hosts under the global exceptions which we expected. Only after enabling anti bot blade we are now seeing IPS logs for hosts covered by global exception. I have checked several of the signatures under the IPS profile and they are set to prevent, however these are detect logs. We are still seeing prevent IPS logs for hosts that are not in the global exception

Has anyone come across this or what am I overlooking?  We are running R81.10 mgmt and GW JHF 66 on both

IPS profile
Only has IPS blade ticked

AntiBot profile
Only has Antibot blade ticked
Set to detect only under GW properties

Global exception
Protected Scope = Any
Source = Specific network groups
Protection/Site/File/Blade = IPS
Action = Inactive

 

Threat Prevention custom policy
"Threat Prevention" layer name
Scope any <IPS profile name>

Track = log

"Anti Bot" layer name
Scope one specific network <AntiBot profile name>

Track = log

Labels
0 Kudos
1 Solution

Accepted Solutions
yalmog
Employee
Employee
‎2022-11-17 03:51 AM
Jump to solution

Hi
R81.10 JHF 79 contain a fix (PMTR-77524) that Global-Detect's action wrongly take precedence over Exception's action.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2022-11-03 09:07 AM
Jump to solution

Just to clarify your situation:

  • You have a separate Threat Prevention rules for IPS and Threat Prevention using profiles
  • You have global exceptions that relate to IPS

What are the precise logs you're seeing?
Please provide a screenshot or two of the log cards in question (sensitive details redacted).

 

0 Kudos
cem82
Contributor
‎2022-11-03 06:48 PM
In response to PhoneBoy
Jump to solution

The same IPS profile and exception is on another GW, only difference is that it doesn't have AB profile/rules and not seeing these detect logs, only the IPS where the source isn't part of the exclusion group.

 

This is log for where source is part of the exclusion group " "Blade:IPS" "action:Inactive"

IPS Detect log.JPG

Prevent log for a source that is not in the exclusion group

IPS Prevent log.JPG

TP policy'.JPG

Antibot layer.JPG

 

Global exception.JPG

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-04 08:04 AM
In response to cem82
Jump to solution

Ok, so you're using multiple threat layers too.
I think your best bet in this situation is a TAC case.

0 Kudos
cem82
Contributor
‎2022-11-04 02:19 PM
In response to PhoneBoy
Jump to solution

Cool thanks, suspected that'd be the case. 

0 Kudos
the_rock
Legend
Legend
‎2022-11-04 06:16 PM
Jump to solution

I had similar case with client couple of years back and TAC had them make some changes in threat prevention profile to make this work. IM really sorry, but I cant recall what was done. Once you find a solution, please share it here.

0 Kudos
yalmog
Employee
Employee
‎2022-11-17 03:51 AM
Jump to solution

Hi
R81.10 JHF 79 contain a fix (PMTR-77524) that Global-Detect's action wrongly take precedence over Exception's action.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events