Re: No prevent option in IPS signature

Sagar_Manandhar · ‎2018-05-23

hi,

We have only Detect option available for “Host Port Scan” category so we can’t prevent this from our IPS rules. We cannot block the source that ip is being used as nat ip (public ip from another branch) for many users .

If we don't have option to prevent can we have a TCP session limit for the source IP from the user pool ? If it can be done, what the procedure?

Regards,

Sagar Manandhar

.

Vladimir · ‎2018-05-23

Sagar,

If the source of scans is NATed by the Check Point gateway itself, you should still be able to to identify it by the actual IP and treat its traffic in IPS whichever way you want.

If it is being NATed by other device before hitting the Check Point, the best course of action will be to exempt CP GW from it's scanner's configuration.

Incidentally, do you have a stealth rule configured in your policy?

What, if any effect does it have on this traffic.

Cheers,

Vladimir

Sagar_Manandhar · ‎2018-05-23

No, it not the checkpoint IP. We have been using different public ip in different branches. it comming from there.

Vladimir · ‎2018-05-23

Then either configure the scanner exemptions or their scopes.

Alternatively, at the branch in question you can play with ACLs to only allow necessary traffic to predetermined scopes from the original source IP, but it may prove labor intensive.

Kyle_Danielson · ‎2018-05-23

If you configure User Defined Alerts, you can timeout connections that meet the criteria for the Host Port Scan IPS signature:

SK110873 - How to configure Security Gateway to detect and prevent port scan

Are you a member of CheckMates?

No prevent option in IPS signature