• There are actually four different “classes” of what might be considered IPS Protections under R80.10+ management. (Note that Geo Policy/Protection is the fourth, and will be covered later in Module 4) The subtle differences in how you work with each of these four classes is the source of a LOT of confusion. They are:
1. ThreatCloud Protections (~9,300+, shield icon)
2. Core Activations (~39, shield w/ firewall icon)
3. Inspection Settings (~150, wrench icon)
4. Geo Policy (Covered in Module 4)
• Although they were part of the IPS blade in R77.XX and earlier, Inspection Settings are now part of the Access Control policy layers and no longer part of IPS/Threat Prevention in R80+ management. They perform protocol inspection that is inherent in the gateway’s stateful inspection process, and have the following attributes:
◦ As shown above Inspection Settings are part of the Access Control policy layers, so if any changes are made to them, the Access Policy needs to be installed to the gateway.
◦ Similarly to Core Activations, all Inspection Settings are included with a new software release, and are not updated via IPS Updates from the Check Point ThreatCloud.
◦ Inspection Settings Exceptions are specified separately from Threat Prevention Exceptions, so the main Threat Prevention Global exceptions DO NOT apply.
◦ One, some, or all Inspection Settings signatures can be specified in a single Inspection Setting Exception rule for an R80.10 gateway. For an R77.30 gateway, Inspection Settings Exceptions must be specified in the IPS layer under Threat Prevention.
◦ Each gateway has exactly one Inspection Settings Profile assigned to it.
• For technical reasons, 39 Core Activations exist in a kind of “no–man’s land” between ThreatCloud Protections and Inspection Settings. They typically enforce protocol standards via a protocol parser, and have the following attributes:
◦ Instead of the typical Inactive/Prevent/Detect settings, “See Details...” appears instead
◦ Exceptions can only be added for a single Core Activation signature at a time, and the main Threat Prevention Global & Custom Exceptions DO NOT apply
◦ Core Activations ship with the product and are not modified or augmented by IPS Updates from the Check Point ThreatCloud
◦ Under R80+ management, if configuration changes are made to existing Core Activations, they can be made active on the gateway by:
▪ R77.XX gateway: Install the Access Control Policy
▪ R80.10+ gateway: Install the Access Control Policy (NOT Threat Prevention)
◦ Core Activations have a special “shield with firewall” icon and will typically have an “Advanced” screen where the Activation can be further tuned or adjusted.