This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
anas_ather
Participant
‎2020-11-23 06:15 AM

R80.40 Threat Prevention IPS Protected Scope or Source / Destination

Hi

I am trying to create a threat prevention policy where traffic from

(DMZ -> Inside networks) and (Inside networks -> DMZ)  -----  IPS Profile in Detect mode 

(DMZ+Inside -> Internet) and (Internet -> DMZ+Inside)  -----  Same IPS Profile in Prevent mode 


I can do that using hidden columns of source and destination in Threat Prevention Policy and also creating objects for inside, DMZ and internet (Negated cell of inside networks)

and by also cloning the existing IPS profile and changing all actions to detect mode

but isnt there a better and cleaner way of doing this using scopes and not having to use Source, Destination columns, and also avoid cloning or duplication of Current IPS profile

 

Thanks 

Kind Regards

Labels
0 Kudos
5 Replies
Wolfgang
Authority
Authority
‎2020-11-23 06:57 AM

@anas_ather 

you can define an exception for IPS-blade and set this to "detect" like this:

IPS_exception.png

 

 

 

Wolfgang

0 Kudos
anas_ather
Participant
‎2020-11-23 07:29 AM
In response to Wolfgang

Thanks Wolfgang for screenshot, but you have done this as Exception? (Is it because of detect action?)

instead of a rule

Internal Zone is a zone object?

 

Thanks

Kind Regards

0 Kudos
Wolfgang
Authority
Authority
‎2020-11-23 12:08 PM
In response to anas_ather

@anas_ather 

Rule 1 has DMZzone as protected scope, this means all connection to and from DMZzone are protected with the optimised TP-profile with all enabled blades (IPS, AVIR, ABOT, TE, TP).

Rule E-1.1 is an exception of rule 1. For all connections between DMZzone and INTERNALzone and vice versa the IPS blade works only in detect mode.

There is no need to create a new profile with all IPS protections set to detect. Yes, DMZzone and INTERNALzone are zone objects. But this is shown only as an example. You can replace them with your network or group objects to fit your needs.

To secure all connections you can set the protected scope in rule 1 to any or you can set to DMZzone and INTERNALzone to match your described configuration accurately.

Wolfgang

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-11-23 07:01 AM

Usually, an IPS Profile in Detect mode is only used in the first IPS deployment phase - as the load on the GW will be the same if detect or prevent is on, Detect makes not much sense in production, taking ressources but doing logs only. Cleanest way is to group the DMZ and internal networks and use them in a rule as you wrote above. Cloning of the IPS policy is needed, too.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
anas_ather
Participant
‎2020-11-23 07:31 AM
In response to G_W_Albrecht

Thank you G_W_Albrecht, Yes business has been in detect mode for a week now but they cannot afford to loose even a pico second of drops and want to be very cautious

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top