Re: IPS isn't work.

ipolovokhin · ‎2024-03-06

Hello community!

Looks like my IPS isn't work.
I have a cluster on border of my network with internet.

I enable https inspection and IPS blade, update IPS signatures database and try to test with checkme.

So, IPS information from security gateways:

[Expert@FW1_name:0]# ips stat
IPS Status: Enabled
Active Profiles:
Optimized
IPS Update Version: 635241547
Global Detect: Off
Bypass Under Load: Off

[Expert@FW2_name:0]# ips stat
IPS Status: Enabled
IPS Update Version: 635241547
Global Detect: Off
Bypass Under Load: Off

Honestly i don't know why FW2 have not Active Profiles but ok, i have two checkme tests and both tests was fully Vulnerable...

Regarding sk115236 i expect as minimum that Browser exploit section will be secure. Because my Active IPS profile include signature Cross-Site Scripting Scanning Attempt in "Prevent mode".

One more interesting thing that in sk115236 for Malware Infection test recommended enabling "D-Link 850L Router Remote Unauthenticated Information Disclosure" signature. But i didn't find this signature in list at all...

At the moment, I have familiarized myself with a huge number of problems related to IPS database updates, checkme checks, etc., but I have not been able to figure it out.

I'll add additional screenshots for help analyze situation.

Gaia version is R80.40 on management server and FWs

G_W_Albrecht · ‎2024-03-06

R80.40 is out of any support next April - better contact CP TAC !

CCSE CCTE CCSM SMB Specialist

Chris_Atkinson · ‎2024-03-06

From the output it seems the Optimized profile is active.

What does your HTTPS inspection policy look like, importantly which direction was it enabled for?

From demo console the protection is there:

https://advisories.checkpoint.com/defense/advisories/public/2017/cpai-2017-0850.html/

CCSM R77/R80/ELITE

ipolovokhin · ‎2024-03-06

Dear Chris,

I attach screenshots, of course policy was installed after enabling HTTPS inspection.
I also check it in browser certificate when i connect to some website via HTTPS.

I'm fully sure that HTTPS inspection works.

Lesley · ‎2024-03-06

Wrong way around you made the internet now more safe 😄

HTTPS inspec rule:

Source: Internet Dest Server: HTTPS inspect. This is good

-------
If you like this post please give a thumbs up(kudo)! 🙂

ipolovokhin · ‎2024-03-06

Dear Lesley,

Source - my test PC

Destination - Internet

Special for you i'll attach with column names 😊

As i told, https inspection works fine. Even if it will not Malware Infection test via http also doesn't work))

the_rock · ‎2024-03-06

Im not 100% clear on what exactly the issue here is...forgive me if this sounds like a dumb question, but are you saying that specific IPS protections are not working properly? Seems like inspection is taking place.

Andy

ipolovokhin · ‎2024-03-07

I think yes, because:

1) IPS blade is active

2) Databases updated (But i don't know why signature "D-Link 850L Router Remote Unauthenticated Information Disclosure" doesn't exist in IPS protections list)

3) Signatures (for example Cross-Site Scripting Scanning Attempt in prevent mode)

4) HTTPS inspection works

5) Policy is installed

But all tests displays Vulnerable (Browser exploit also), but if we believe to sk115236 test result should be secure as minimum....

the_rock · ‎2024-03-07

I agree, that sk would be a good test. Let me check those protections in the lab later and will send screenshots of what they show, as Im on latest R81.20.

Best,

Andy

the_rock · ‎2024-03-07

This is what I see in my R81.20 jumbo 45 lab.

Best,

Andy

ipolovokhin · ‎2024-03-07

And i have same picture i think. I just can't see action sections on your screenshot.

Interesting that you also don't have signature
D-Link 850L Router Remote Unauthenticated Information Disclosure

the_rock · ‎2024-03-07

I dont see that one, no. Action for cross-site scripting one you mean?

the_rock · ‎2024-03-07

If you asked for cross-site scripting, thats prevent, for sure.

Chris_Atkinson · ‎2024-03-08

I've reproduced the missing protection in my lab and am currently testing to see if sk179644 is a fix, need to await the next IPS update to confirm.

CCSM R77/R80/ELITE

the_rock · ‎2024-03-08

I actually did the same in one of my labs, lets see.

Andy

Chris_Atkinson · ‎2024-03-10

Updated to IPS package version 635241667.

Note the protection appears to have been updated & renamed simply to “D-Link Routers Information Disclosure” hence the issue with trying to find it.

Will request the CheckME documentation be amended accordingly.

CCSM R77/R80/ELITE

Chris_Atkinson · ‎2024-03-07

To clarify do you see logs for any of the CheckMe communication at all?

The traffic definately traverses the gateway without interception by a VPN / Proxy / SWG other than Check Point?

CCSM R77/R80/ELITE

Lesley · ‎2024-03-07

Malware infection is not really related to the IPS blade. Is more for Anti-virus / Anti-bot blade.

-------
If you like this post please give a thumbs up(kudo)! 🙂

ipolovokhin · ‎2024-03-07

Dear Lesley,

Please correct me if I'm wrong. As i know IPS in this case should work first and block download of this Malware before Anti-Virus, because IPS work with traffic flow (doesn't wait while file will buffered like Anti-Virus).

Are you a member of CheckMates?

IPS isn't work.