This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maik
Advisor
‎2018-09-05 10:43 PM

IPS exception for pre R80 gateways with R80 SMS

Hello guys,

I have a question regarding the IPS exception possibilites for threat prevention profiles within a R80 SMS that is applied to pre R80 gateways. To be precise; the gateways in this case are running R76.50 (scalable platform release). As far as I've seen it is only possible to configure exceptions in the threat prevention exceptions tab - and here I realized that the action for any exceptions that need to be applied to pre R80 gateways is "inactive". But with that in place I am not able to see anything in my logs as IPS checking is just not done on the specific traffic described in the threat prevention exception rule. Now my question is - am I missing something or is there really no chance to configure "detect", so that IPS logs are still being received for the exception? I personally do not want to just ignore it in the first place. My plan is to have the SIEM team check whether its a false positive (during this time I want the detect option) and after confirming the false positive its fine for me to just set the action to "inactive".

Thanks in advance for any advices!

Best regards,

Maik

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-09-05 11:44 PM

As the name already hints to, an IPS exception excludes traffic from IPS. IPS set to detect consumes the same ressources as when in protect mode, so it makes no sense to detect anything except in the first weeks of getting IPS into production.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maik
Advisor
‎2018-09-05 11:53 PM
In response to G_W_Albrecht

Hello Günther,

Thanks for your reply. I understand IPS exceptions in the way that you have some kind of exclusion (differences) regarding the standard profile settings for specific traffic/signatures. Not in the way, that this automatically means you want to exclude such traffic completely from the IPS point of view.

That being said, I think it makes sense to detect something in this case as we are performing a restructure of the network (for some parts) and therefore need the detect just for specific sources, destinations & signatures. As these aren't that many hosts a new profile does not make much sense (which could have been another option).

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-06 12:02 AM
In response to Maik

You seem to understand IPS exceptions in a wrong way 😞 this is used for traffic that shall not be inspected at all by IPS (only very basic testing, e.g. Anti-Spoofing is performed in fw chain). If you need to detect traffic, use a special profile for this kind of traffic to make it work and log in detect mode.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maik
Advisor
‎2018-09-06 12:52 AM
In response to G_W_Albrecht

Hm, I am wondering why there is the possibility for R80.x gateways to have the options of "inactive", "detect", "prevent" and "ask" within the exception action settings then. Nevertheless, thanks for the information regarding the impact on the fw chain and what is still done after specifying an exception - was not aware of that.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-06 01:54 AM
In response to Maik

The options of "inactive", "detect", "prevent" and "ask" within the exception action settings - I can not see that here:

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maik
Advisor
‎2018-09-06 02:52 AM
In response to G_W_Albrecht

I am talking about the exception policy settings right below the actual threat prevention policies within the SmartConsole. [The hosts and rule shown in the screenshot are based on a cloud demo session]

Edit: Am I missing something? If yes, what exactly?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-07 12:01 PM
In response to Maik

This exception does not apply for pre-R80 gateways.

The exceptions you configure in the threat prevention exceptions tab are for excluding traffic from IPS entirely, not applying a different action to the traffic. 

R80.x gateways have significantly more flexibility with regards to IPS profiles, exceptions, and so on. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events