Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

On 8th January 2020, @Oren_Koren gave us a preview of a SmartConsole Extension that will be launched at CPX 360 2020, making it simple to move from Detect to Prevent with Check Point!

The following is available to CheckMates members who are logged in:

  • Slides (will be provided after CPX 360 2020)
  • Video

Q&A will be posted as comments.

The SmartConsole Extension mentioned: https://secureupdates.checkpoint.com/appi/tailoredsafe/extension.json

49 Replies
Oren_Koren
Employee Alumnus
Employee Alumnus

Hey,

IMHO, there two main use-cases you will want to enable protections (that you are saying not relevant to you today):

1. a developer in your company has installed an old version of an Apache server for tests. he doesn't really care about security + it is exposed to the internet == potential Backdoor. he will do it tomorrow, so your security for today is not enought.

2. a director in your company is asking "how many attacks we have had this month from 'cyber POV'". if you didn't enabled the protections, you will not see the REAL threat lanscape against your organizations.

i have seen before cases that customer disabled protections (not exceptions) but it was relevant where they have had lots of people in the InfoSec team + lots of people in the SOC. and still - when i presented TailoredSafe - they have started to use it.

 

the flow of enablment will always be "Detect -> Prevent" + few exceptions for specific scopes.

i think that if you will see a high rate of hits for a specific protection + source+Dest - an exception is the right way.

 

 

Benedikt_Weissl
Advisor

Will it work with SMS R80.40? I'm getting the following warning

 

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

Don't know any reason why it shouldn't.
Possible there's an issue with the json we need to correct also.
0 Kudos
asafga
Employee Alumnus
Employee Alumnus

Are you running it with super user permissions?
0 Kudos
Benedikt_Weissl
Advisor

Running it as super user solved the issue, thank you!
Julie_Paul
Employee
Employee

Getting the following error -->  does SME need to be on its own server and not part of management?

 

SME_curl_cli -s -d 'sort=time desc,sequencenum desc&rows=500&fl=severity,https_inspection_action,performance_impact,product,dst,smartdefense_profile,src,confidence_level,type,orig_log_server,orig,marker,stored,domain,protection_name,id&fl=CoreName:[shard]&shards.info=true&is_smartevent_machine=true&q=*:*&fq={!cache=false cost=50}time:[2020-03-16T22:10:43.152Z TO 2020-03-23T22:10:43.152Z]&fq={!cache=false cost=99}protection_name:[* TO *]&TZ=Asia/Jerusalem&shards=http://127.0.0.1:8210/solr/firewallandvpn_2020-03-16T00-00-00&time_from=2020-03-16T00:00:00.000+02:0... text_r text_i&wt=json&indent=true' https://127.0.0.1:8210/solr/template/select

0 Kudos
asafga
Employee Alumnus
Employee Alumnus

Which error do you see? 

The text you sent is the query text. Do you want to share a screenshot?

Thanks

0 Kudos
Julie_Paul
Employee
Employee

Here is the error from the logs.  

0 Kudos
asafga
Employee Alumnus
Employee Alumnus

Please try to run this command on your shell.
Smart event is enabled?
Which management version are you using?
Thanks,
Asaf
0 Kudos
Julie_Paul
Employee
Employee

Asaf

 

Ran the code in the shell came back with 0 items, so it should not have been a failure, but just 0  items reterieved.  The way it looked in the logs, you would think it was broken.

 

R80.40 & yes Smart Event is on.  

 

Think it was a false positive again because the results of the query is 0, but it shows as a failure in the logs.

 

Thanks

 

0 Kudos
asafga
Employee Alumnus
Employee Alumnus

It should return a valid response when the result is 0.
In your case, there was another error.
Which take are you using?
Thanks
0 Kudos
Julie_Paul
Employee
Employee

I am running 

Product version Check Point Gaia R80.40 take 294
OS build 294
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

 

I used the link in the SK164812 for the extension

 

0 Kudos
nacho16v
Explorer

I have a virtualized lab on R80.30 T155, based on a MGMT and a single GW, it has a simple permission rule allowing passing all traffic.


The Threat Prevention rule is very simple, scope ANY, OPTIMIZED profile, protections in DETECT, Blades A-BOT, IPS, Threat Emulation and AV enabled, log, Packet capture and forensics, I have generated not only traffic logs but also Threat logs through Check Me (both for network and endpoint) on a machine connected behind the GW and I have generated both traffic and Threat logs so that when I enabe the extension I can analyze them.

The problem I have is that it does not return anything, it does not give me any error in the different phases since I enabled the extension, but it tells me that I have 0 protections without HITS in DETECT for PREVENT, 0 protections with HITS in DETECT for PREVENT and It has recognized no application so it does not generate any profile for me, however the Threat Prevention and App logs are there.

I launch Tailored safe with admin, as super-user.

I have tried to deactivate Blades and reactivate them, put TE, IPS and A-BOT in Detect Only and launch it, put everything back in “according to policy”, reinstall the extension from the repository mentioned by SK, to check that the logs are there and grow,… ..

¿Do i have to enable Smart Event / Smart Event correlation or something else in the SMS?, based on the SK that describes the extension this is no needed.

0 Kudos
Jean-Francois_G
Explorer

Hello im running gaia R80.30 Hotfix 155

 

Ive imported the extension : https://secureupdates.checkpoint.com/appi/tailoredsafe/extension.json

I then click "Run Analysis"  

1.png

2a.png

I see this screen 

2.png

 

And then i get disconnected after a few minutes3.png

 

And when im trying to reconnect i get this warning 

4.png

 

My cluster and MGMT are both at 80.30 Jumbo Hotfixx 155

 

What should i do ?

 

Thanks !

0 Kudos
asafga
Employee Alumnus
Employee Alumnus

Hi,
Can you please send me a direct email (asafga@checkpoint.com) so I will be able to solve it with you?
Also, if you can send the output of the following command to my email – it will help me debug it for you:
mgmt_cli show gateways-and-servers --format json
Thanks
0 Kudos
Oren_Koren
Employee Alumnus
Employee Alumnus

Hey all,

as always - CheckMates community are getting the first updates 🙂

we have finished the version for Nessus scanner integration into the extension

https://secureupdates.checkpoint.com/appi/tailoredsafe_V2/extension.json

as you can see the link is different from the main version - we didnt integrated it yet due the fact we first want your inputs on it.

Oren_Koren_0-1587507578919.png

 

Oren_Koren_1-1587507594679.png

 

we welcome you to use this version and send us your inputs. 

FYI - most of the inputs from the community members has been addressed and:

  • fixed specific cases for customers in a dedicated session  + deploy the fix to the main version
  • use your inputs to change the methods we work + plan our next mile-stones of the project

KEEP SAFE!

Oren & TailoredSafe Team

RickLin
Advisor
Advisor

Wait for another Vendor support (For example: Rapid7 ).

0 Kudos
Peter_Lyndley
Advisor
Advisor

Hi All,

 

Does Tailoredsafe work on a CMA/DMS ? I've tried it on a couple of DMS that have SmartEvent enabled but I'm getting 0 0 0 no changes required.

Please let me know MDS is R80.30 JHF111 currently

thanks

Peter

0 Kudos
Christopher_To
Collaborator

Hi all,

I ran Tailored Safe extension and created a profile but noticed that the number of protections that are in "prevent" mode are A LOT less than the optimized profile.  Is this normal?  

Before running the extension IPS was in detect only mode with the optimized profile set in the policy.

0 Kudos
Conor_Mulcahy
Contributor

Hi, I've ran tailorsafe on a management server and it come back with there are zero protections in detect with no hits which can't be right. The environment has an SMS with the logging but Smart Event is on it's own dedicated server both running R80.40. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events