Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Roshan_Sinha
Explorer

IPS signature fine tune

Hi Team,

Recently i have enabled IDS for Low confidence IPS protections, just to analyze what all attacks are hitting to our firewall. As soon as I enabled IDS, i have strated receiving many attack events which are Internal servers to servers legitimate traffic however its detecting as attack with high severity but low confidence. 

Need your suggestion, on this scenario, what should be the best solution I have to apply to avoid events for legitimate traffic.

Not sure if I have to create exception list for particular source and destination to avoid unnecessary events.

All suggestions will be appreciable !!

Regards,

Roshan Sinha

 

0 Kudos
7 Replies
the_rock
Legend
Legend

This is good reference link:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

Personally, I always tell people to stick with CP optimized profile, as in my experience, seems to work the best, meaning it will block most of commonly known stuff out on the Internet. Are you having issues with certain protections blocking the legitimate traffic?

0 Kudos
Roshan_Sinha
Explorer

HI,

Since i have enabled only IDS for low confidence protection, Its not blocking any traffic but only receiving Detect events for all legitimate traffic which is quite huge. 

 

0 Kudos
the_rock
Legend
Legend

What is the current IPS profile you are using?

0 Kudos
Roshan_Sinha
Explorer

Its replica of Default CP Optimized profile.

0 Kudos
the_rock
Legend
Legend

K, fair enough. I would follow below link for IPS optimizing. Honestly, I always use optimized profile with customers and never had any problems.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

0 Kudos
Blason_R
Leader
Leader

That is my take as well - You will need to some extra effort to finetune the profile/signatures. Use reporting functionality and get the reports and see the top signatures which are firing that would help to finetune the rules

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Roshan_Sinha
Explorer

Thanks all for your suggestions..

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events