This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roshan_Sinha
Explorer
‎2022-12-12 06:27 PM

IPS signature fine tune

Hi Team,

Recently i have enabled IDS for Low confidence IPS protections, just to analyze what all attacks are hitting to our firewall. As soon as I enabled IDS, i have strated receiving many attack events which are Internal servers to servers legitimate traffic however its detecting as attack with high severity but low confidence. 

Need your suggestion, on this scenario, what should be the best solution I have to apply to avoid events for legitimate traffic.

Not sure if I have to create exception list for particular source and destination to avoid unnecessary events.

All suggestions will be appreciable !!

Regards,

Roshan Sinha

 

Labels
0 Kudos
7 Replies
the_rock
Legend
Legend
‎2022-12-12 06:35 PM

This is good reference link:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

Personally, I always tell people to stick with CP optimized profile, as in my experience, seems to work the best, meaning it will block most of commonly known stuff out on the Internet. Are you having issues with certain protections blocking the legitimate traffic?

0 Kudos
Roshan_Sinha
Explorer
‎2022-12-12 06:39 PM
In response to the_rock

HI,

Since i have enabled only IDS for low confidence protection, Its not blocking any traffic but only receiving Detect events for all legitimate traffic which is quite huge. 

 

0 Kudos
the_rock
Legend
Legend
‎2022-12-12 06:41 PM
In response to Roshan_Sinha

What is the current IPS profile you are using?

0 Kudos
Roshan_Sinha
Explorer
‎2022-12-12 06:44 PM
In response to the_rock

Its replica of Default CP Optimized profile.

0 Kudos
the_rock
Legend
Legend
‎2022-12-12 07:09 PM
In response to Roshan_Sinha

K, fair enough. I would follow below link for IPS optimizing. Honestly, I always use optimized profile with customers and never had any problems.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

0 Kudos
Blason_R
Leader
Leader
‎2022-12-12 10:15 PM

That is my take as well - You will need to some extra effort to finetune the profile/signatures. Use reporting functionality and get the reports and see the top signatures which are firing that would help to finetune the rules

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Roshan_Sinha
Explorer
‎2022-12-12 10:49 PM
In response to Blason_R

Thanks all for your suggestions..

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events