Solved: Regarding IPS Update

-K- · ‎2023-03-14

Hi

If we have auto update disabled for IPS Signature update, and also disabled the automatic Activation of IPS protection.

1) How to make sure/review which Protections / Signatures are downloaded recently & staged to install on GWs

2)how to review to understand whether it can cause an issue with an existing infrastructure based on application behavioral.

Any input please would be highly appreciated.

emmap · ‎2023-03-14

1. If you've disabled auto-updates, you will not have any recently downloaded protections. When you do have auto-updates enabled, new/updated protections are flagged for follow-up. You can filter based on what's flagged for follow-up in the IPS Protections part of SmartConsole. I would recommend clearing all the currently flagged protections using the Cleanup Options to give yourself a clean baseline. Once you've assessed a new protection and decided what to do with it, clear the follow-up flag.

2. This is what 'Staging' is for. New protections that would auto-activate based on the profile settings (based on configured severity and performance impact settings) activate in detect mode. This will assess the traffic against the protection and produce a 'detect' log if it would block something, without actually blocking it. With this information, you can decide whether this is a protection that you would like to enable in protect mode (simply clear the 'staging' flag from the protection and it will auto-activate into prevent mode) If you assess it to be a false positive, you can override the automatic setting into the appropriate mode.

The follow-up flags and auto-activation settings are there to assist you in putting together a process around managing IPS protections. Just make sure that you keep up with it, else you'll end up with hundreds of protections in staging mode and not actually have any protection benefit from the IPS blade.

View solution in original post

emmap · ‎2023-03-14

1. If you've disabled auto-updates, you will not have any recently downloaded protections. When you do have auto-updates enabled, new/updated protections are flagged for follow-up. You can filter based on what's flagged for follow-up in the IPS Protections part of SmartConsole. I would recommend clearing all the currently flagged protections using the Cleanup Options to give yourself a clean baseline. Once you've assessed a new protection and decided what to do with it, clear the follow-up flag.

2. This is what 'Staging' is for. New protections that would auto-activate based on the profile settings (based on configured severity and performance impact settings) activate in detect mode. This will assess the traffic against the protection and produce a 'detect' log if it would block something, without actually blocking it. With this information, you can decide whether this is a protection that you would like to enable in protect mode (simply clear the 'staging' flag from the protection and it will auto-activate into prevent mode) If you assess it to be a false positive, you can override the automatic setting into the appropriate mode.

The follow-up flags and auto-activation settings are there to assist you in putting together a process around managing IPS protections. Just make sure that you keep up with it, else you'll end up with hundreds of protections in staging mode and not actually have any protection benefit from the IPS blade.

Are you a member of CheckMates?

Regarding IPS Update