Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sagar_Manandhar
Advisor

No prevent option in IPS signature

hi,

We have only Detect option available for “Host Port Scan” category so we can’t prevent this from our IPS rules. We cannot block the source that ip is being used as nat ip (public ip from another branch) for many users .

If we don't have option to prevent can we have a TCP session limit for the source IP from the user pool ? If it can be done, what the procedure?

Regards,

Sagar Manandhar

.

0 Kudos
4 Replies
Vladimir
Champion
Champion

Sagar,

If the source of scans is NATed by the Check Point gateway itself, you should still be able to to identify it by the actual IP and treat its traffic in IPS whichever way you want.

If it is being NATed by other device before hitting the Check Point, the best course of action will be to exempt CP GW from it's scanner's configuration.

Incidentally, do you have a stealth rule configured in your policy?

What, if any effect does it have on this traffic.

Cheers,

Vladimir

0 Kudos
Sagar_Manandhar
Advisor

No, it not the checkpoint IP. We have been using different public ip in different branches. it comming from there.

0 Kudos
Vladimir
Champion
Champion

Then either configure the scanner exemptions or their scopes.

Alternatively, at the branch in question you can play with ACLs to only allow necessary traffic to predetermined scopes from the original source IP, but it may prove labor intensive.

Kyle_Danielson
Employee
Employee

If you configure User Defined Alerts, you can timeout connections that meet the criteria for the Host Port Scan IPS signature:

SK110873 - How to configure Security Gateway to detect and prevent port scan

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events