This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adnan_Saleem
Participant
‎2018-09-17 08:19 AM

IPS protection track and approval process

Hi,

Could you suggest the best way to setup an approval process for IPS protections and have a record of time and date when s specific protection was enabled.

Thanks in advance.

-Adnan

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2018-09-17 10:24 AM

This is really a Threat Prevention‌ question. 

For a fully enforced "approval process" we would need functionality that's not currently present in the product.

You can find a partial process here: Re: Will (Smart)Workflow come back?

In terms of tracking, there's really two things you have to track:

  • When a protection was modified
  • When the Threat Prevention policy was installed (Access Policy for pre-R80 gateways)

This will appear in the Audit Logs.

For example, my gateways auto-update IPS signatures nightly, so you will see in the Audit Logs that protections got added and that install policies happened. 

I also, for demonstration purposes, activated a protection that wasn't previously activated.

Here's the log entry that was created.

Unfortunately, it's not obvious from looking at this what protection I enabled here.

It's obvious what profile it was modified on (e.g. Profile name).

The Protection name listed is an internal one and not the one you see in SmartConsole.

To find out what protection was actually modified, you have to look at the "Performed On" field.

You'll notice there are two UIDs separated by an underscore:

  • First one is the Threat Prevention profile being modified (which is already obvious)
  • Second one is the IPS Protection that was actually modified

Using show object in the API, I can see what protection was modified:

There is clearly some room for improvement here.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events