Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

On 8th January 2020, @Oren_Koren gave us a preview of a SmartConsole Extension that will be launched at CPX 360 2020, making it simple to move from Detect to Prevent with Check Point!

The following is available to CheckMates members who are logged in:

  • Slides (will be provided after CPX 360 2020)
  • Video

Q&A will be posted as comments.

The SmartConsole Extension mentioned: https://secureupdates.checkpoint.com/appi/tailoredsafe/extension.json

49 Replies
Will_Hudgins
Participant

Excellent presentation! This will be very useful for me.

I just ran the extension and receive these errors. I approved every pop-up. 

Manager - R80.30

cp_tailored-safe-errors.PNG

Oren_Koren
Employee
Employee

Hey

if u can send me a direct email, I will take care of it

orenkor@checkpoint.com

PhoneBoy
Admin
Admin

It looks like a "cosmetic" error more than a real error.
Best to email Oren as he suggested so we can investigate.
Will_Hudgins
Participant

It's not creating the new profile either. i'll wait on Oren to get back to me. 

thank you.

Oren_Koren
Employee
Employee

Hey
We are reviewing it and A short remote session will assist us to finish up the review and fix what is needed

I have seen your email, will respond soon and if it’s a possibility from your side, can we have a short session?
Will_Hudgins
Participant

Yes, i will send you email w/ my available times. Again, thank you.

Manuel_Kuback
Contributor

did you solve the issue?

got the same issues (all errors, no tailored safe profile being created).

but it was just a first test in my lab.

Oren_Koren
Employee
Employee

Hey,

we have worked on all of the issues that has been sent by you and the others. a new version was release with bug fixes two days ago (same link so no change is needed). can you check again and tell me if it is still doesnt work for you?

Thanks,

Oren

0 Kudos
Will_Hudgins
Participant

Worked like a champ. Thanks guys!
Oren_Koren
Employee
Employee

its all on @asafga  head 🙂

Asaf - do you want to update on the fixes has been added to the last TS version based on the community inputs?

asafga
Employee
Employee

Hey all,

I wanted to update on our new improvement to TailoredSafe.

  • We have reduced the pop-ups in the flow of the extension.
  • Improved error handling – we will be able to handle errors much efficiently.
  • Fixed a bug with the non-hit protections – based on inputs from the community, we have located few use-cases that we didn’t have in our lab and fixed them accordingly.
  • Multiple code improvements.

 

I would like to add that CheckMates assists a lot with checking and giving us lots of feedback – please keep the feedback coming!

Charles_Palmer
Participant

Great presentation. I am looking forward to seeing more about it at CPX2020. I did install the extension on my SmartConsole and went through the wizard and it worked. I was a little surprised to see that I had 0 items that were in detect with no hits. I am running the Optimized profile (which I cloned so I could start customizing it for our environment) and I was expecting to have a lot of No Hits based on the presentation. If there is anything else I can provide on this, let me know.

Charles

 

Andreas_Poelzle
Explorer

Same here with one of my customers on the Recommended_Profile. 0 protections with no hits, 0 protections with hits, 0 Application Discovery.

Oren_Koren
Employee
Employee

Hey Andreas,
Can you send me a short email with your details? We will want to review it with you

Thanks,
Oren
0 Kudos
Oren_Koren
Employee
Employee

Hey Charles
Thanks for the feedback
If you can please send me a short email so we can coordinate a short session, that will be great!
0 Kudos
cdurham
Participant

I added the extension, ran the analysis and received this error;

 

 
 

 

Wolfgang
Leader
Leader

Cdurham,

I got the same screen. Went for a cup of coffee from my desk and after 10min I saw 4500 changes in the session pane (in top of the Dashboard).
I could see this number increasing for the last 1000. Because there was no button to click ok or anything else, I closed the window and was able to publish and install policy. There was no chance to review the changes.

Wolfgang
Oren_Koren
Employee
Employee

Hey Wolfgang,
By review the changes you mean that you want to verify what are the changes before the push policy, correct?

If we were able to show you the changes in any place and way in the console, what would be the best scenario/solution for you?
0 Kudos
Oren_Koren
Employee
Employee

Hey chduram,
Can you please check if a new profile was created?(so I will differentiate between the presenting side and the configuration side)

Thanks
Oren
0 Kudos
Oren_Koren
Employee
Employee

We are working very fast on reviewing all of your inputs

I will ask you to run the extension and if there is any challenge, send me an email - we want to know

please check if a profile was created in your threat prevention policy - in some cases, as Phoneboy said - it’s a bit of cosmetic thing and time manner (waiting time of few minutes for the changes to be created)

Oren_Koren
Employee
Employee

Hey all

in the past few days we have had multiple sessions with community members that includes debugging and understanding the reasons of fail in the extension

 

for the ones who didn’t had a session OR doesn’t have a session with R&D in the schedule to review the challenge and solve it (+learn what is the improvement we need to deploy) - please drop me an email and we will schedule a session to solve it WITH you.

as I said to all of the customers we have had a session with - the power of the community with reviewing our innovative products and the great inputs are priceless

let’s keep working together to make the best products based on your real needs!

 

Timothy_Hall
Champion
Champion

Finally had the time to go through the video, nice tool!

From an optimization perspective this tool can be very helpful as well, since an action of Detect instead of Prevent or Inactive causes higher overhead on the firewall; this concept was hit hard in the latest version of my book.  Particularly bad is an action of Detect but no logging, which is just consuming firewall resources for no valid reason.  Good to see there is an automated tool to streamline getting out of Detect mode, my book goes through doing it manually.  Will definitely add this tool to the upcoming addendum!

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Oren_Koren
Employee
Employee

Thanks!

if you will add it to your book as a way to utilize Threat Prevention, that will be great 🙂

any input on the process is welcomed - we want to make our customers life simple and with no business impact

0 Kudos
Mark_Mitchell
Advisor

Where can I download the extension from to have a go in a lab with it?

Cheers

Mark

Jeff_Engel
Employee
Employee

Maik1
Contributor

But is it recommended to activate as much  protections as possible? For example I activate all protections for McAffe, but we don't use any McAffe solutions in our organization. Doas it make sense? Or did I just create Performance impact for my gateway?

0 Kudos
Oren_Koren
Employee
Employee

Hey,

as a basic rule, from our experience, some one in your organization can /will install something new tomorrow.

the challenge of managing the applications that are in use in your organization (+vulnerable versions) is a hard challenge.

to make it simple, we recommend to enable all the protections (beside exceptions if needed OR if you have performance issues due miss-sizing as an example)

 just for example, lets say you do not have SQL today, but tomorrow someone from the DEV team will install a local instance with a known vulnerability:

sql will not be seen in d_port 1433 so you will not have any inspection == no performance usage

in the second the user will install the app and an attack will accure, only then you will have an inspection.

 

in some unique cases, i have seen customers that enable ONLY the tags for the applications they have, in those cases, they had a dedicated person that this was his job - its all about man-power...... (IMHO)

 

0 Kudos
Manuel_Joaquim
Employee
Employee

Hi Oren

Great video, just a followup  I think I am missing something.

I was under the impression that if you don't need a protection to not enable it,  that if you enable it will launch the content inspection to, steam,parse,cmi protections,  looking for traffic that might match this protection.

example:  when ssl poodle vulnerability come out,  We added protection for it., because the servers were vulnerable,    but once the servers are patched ,  OS was patched,  then there was no more need to keep the protection enable any more,  

I think maybe my confusion might be related to performance, maybe I have been here to long and the engine has change

but I remember having a customer with worm catcher protection enable,  and this was spiking up all the cpu high,  because ALL http traffic was being inspected for a worm,   when customer patch his window servers,  against code red/nimba vulnerabilities,  then we disable worm catch and his cpu went down.

thanks,

Manuel  

 

PhoneBoy
Admin
Admin

Mentions of Code Red/NIMDA put you back in the days of SmartDefense (pre-R70).
It's fair to say things are quite different now than they were back then. 😁