Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ipolovokhin
Contributor

IPS isn't work.

Hello community!

Looks like my IPS isn't work.
I have a cluster on border of my network with internet.

I enable https inspection and IPS blade, update IPS signatures database and try to test with checkme.

So, IPS information from security gateways:

[Expert@FW1_name:0]# ips stat
IPS Status: Enabled
Active Profiles:
Optimized
IPS Update Version: 635241547
Global Detect: Off
Bypass Under Load: Off

[Expert@FW2_name:0]# ips stat
IPS Status: Enabled
IPS Update Version: 635241547
Global Detect: Off
Bypass Under Load: Off

Honestly i don't know why FW2 have not Active Profiles but ok, i have two checkme tests and both tests was fully Vulnerable...

Regarding sk115236 i expect as minimum that Browser exploit section will be secure. Because  my Active IPS profile include signature Cross-Site Scripting Scanning Attempt in "Prevent mode".

One more interesting thing that in sk115236  for Malware Infection test recommended enabling "D-Link 850L Router Remote Unauthenticated Information Disclosure" signature. But i didn't find this signature in list at all...

At the moment, I have familiarized myself with a huge number of problems related to IPS database updates, checkme checks, etc., but I have not been able to figure it out.

I'll add additional screenshots for help analyze situation.

Gaia version is R80.40 on management server and FWs

 

 

0 Kudos
18 Replies
G_W_Albrecht
Legend Legend
Legend

R80.40 is out of any support next April - better contact CP TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

From the output it seems the Optimized profile is active.

What does your HTTPS inspection policy look like, importantly which direction was it enabled for?

 

From demo console the protection is there:

850.jpg

https://advisories.checkpoint.com/defense/advisories/public/2017/cpai-2017-0850.html/ 

CCSM R77/R80/ELITE
0 Kudos
ipolovokhin
Contributor

Dear Chris,

I attach screenshots, of course policy was installed after enabling HTTPS inspection.
I also check it in browser certificate when i connect to some website via HTTPS.

I'm fully sure that HTTPS inspection works.

0 Kudos
Lesley
Leader Leader
Leader

Wrong way around you made the internet now more safe 😄 

 

HTTPS inspec rule:

Source: Internet Dest Server: HTTPS inspect. This is good

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
ipolovokhin
Contributor

Dear Lesley,

Source - my test PC 

Destination - Internet

 

Special for you i'll attach with column names 😊

 

As i told, https inspection works fine. Even if it will not Malware Infection test via http also doesn't work))

0 Kudos
the_rock
Legend
Legend

Im not 100% clear on what exactly the issue here is...forgive me if this sounds like a dumb question, but are you saying that specific IPS protections are not working properly? Seems like inspection is taking place.

Andy

0 Kudos
ipolovokhin
Contributor

I think yes, because:

1) IPS blade is active

2) Databases updated (But i don't know why signature "D-Link 850L Router Remote Unauthenticated Information Disclosure" doesn't exist in IPS protections list)

3) Signatures (for example Cross-Site Scripting Scanning Attempt in prevent mode)

4) HTTPS inspection works 

5) Policy is installed

 

But all tests displays Vulnerable (Browser exploit also), but if we believe to sk115236 test result should be secure as minimum....

0 Kudos
the_rock
Legend
Legend

I agree, that sk would be a good test. Let me check those protections in the lab later and will send screenshots of what they show, as Im on latest R81.20.

Best,

Andy

the_rock
Legend
Legend

This is what I see in my R81.20 jumbo 45 lab.

Best,

Andy

 

 

Screenshot_1.png

 

Screenshot_2.png

0 Kudos
ipolovokhin
Contributor

And i have same picture i think. I just can't see action sections on your screenshot.

Interesting that you also don't have signature
D-Link 850L Router Remote Unauthenticated Information Disclosure

0 Kudos
the_rock
Legend
Legend

I dont see that one, no. Action for cross-site scripting one you mean?

0 Kudos
the_rock
Legend
Legend

If you asked for cross-site scripting, thats prevent, for sure.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

I've reproduced the missing protection in my lab and am currently testing to see if sk179644 is a fix, need to await the next IPS update to confirm.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

I actually did the same in one of my labs, lets see.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Updated to IPS package version 635241667.

Note the protection appears to have been updated & renamed simply to “D-Link Routers Information Disclosure” hence the issue with trying to find it.

dlink.jpg

Will request the CheckME documentation be amended accordingly.

CCSM R77/R80/ELITE
0 Kudos
Chris_Atkinson
Employee Employee
Employee

To clarify do you see logs for any of the CheckMe communication at all?

The traffic definately traverses the gateway without interception by a VPN / Proxy / SWG other than Check Point?

CCSM R77/R80/ELITE
0 Kudos
Lesley
Leader Leader
Leader

Malware infection is not really related to the IPS blade. Is more for Anti-virus / Anti-bot blade. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
ipolovokhin
Contributor

Dear Lesley,

 

Please correct me if I'm wrong. As i know IPS in this case should work first and block download of this Malware before Anti-Virus, because IPS work with traffic flow (doesn't wait while file will buffered like Anti-Virus).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events