- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dear Team,
OS: R80.20
We enable the Threat Prevention Blade.
Profile: Optimized (Clone)
Activation Mode: Detect (Note: Only for POC later we make as Prevent)
See some prevent logs even we set as Detect
Add Exception for "any any" with the profile (Optimized Clone) and also added port "445" but not worked.
Then we Open the Prevent Logs and click "Go to Profile".
It's showing the Profile "Optimized" even I set as "Optimized (Clone)".
So I Finally "Inactive" that Signature for Optimized and Optimized Clone Profile.
NOTE: Initially I set "inactive" for the Optimized (clone) then I set as "Inactive" for "Optimized " profile as well.
Now it's working fine.
All are up to date.
Question: So is this the known behavior?
Because we create a new profile (Optimized Clone) but still some signature block by (Optimized).
Regards
1 Solution
Accepted Solutions
Actually due to "Microsoft Windows NT Null CIFS Sessions" being an IPS "Core" Protection (instead of a IPS ThreatCloud Protection), believe it or not this is expected behavior. As detailed in my IPS Immersion class, the 39 IPS Core Protections (which have a special "shield with firewall" icon) are in a bit of a no-man's land between ThreatCloud IPS Protections and Inspection Settings in R80.10+.
Note that when looking at the list of IPS Protections, a Threat Prevention (TP) profile action is not shown for this particular Core Protection, and it just says "See Details.." instead:
This is the first indication that the profile dictating how this Core Protection will be applied is not controlled directly in the TP profile being invoked in a TP rule. Even if a TP rule is added calling for all traffic to match against the "Optimized (Clone)" profile as in your example, a visit to the Gateways screen of the "Microsoft Windows NT Null CIFS Sessions" protection shows that the TP profile assignment occurs for all Core Protections per individual gateway on this screen, not via the TP policy:
So this Gateways screen is shared among the 39 Core Protections, and is how the Core Protections are assigned via profile to a gateway. This assignment does not happen via the TP policy like it does for IPS ThreatCloud Protections. IPS Core Protections are definitely a bit odd in how you handle them, hence the use of the term "no-man's land" above. 🙂
Actually due to "Microsoft Windows NT Null CIFS Sessions" being an IPS "Core" Protection (instead of a IPS ThreatCloud Protection), believe it or not this is expected behavior. As detailed in my IPS Immersion class, the 39 IPS Core Protections (which have a special "shield with firewall" icon) are in a bit of a no-man's land between ThreatCloud IPS Protections and Inspection Settings in R80.10+.
Note that when looking at the list of IPS Protections, a Threat Prevention (TP) profile action is not shown for this particular Core Protection, and it just says "See Details.." instead:
This is the first indication that the profile dictating how this Core Protection will be applied is not controlled directly in the TP profile being invoked in a TP rule. Even if a TP rule is added calling for all traffic to match against the "Optimized (Clone)" profile as in your example, a visit to the Gateways screen of the "Microsoft Windows NT Null CIFS Sessions" protection shows that the TP profile assignment occurs for all Core Protections per individual gateway on this screen, not via the TP policy:
So this Gateways screen is shared among the 39 Core Protections, and is how the Core Protections are assigned via profile to a gateway. This assignment does not happen via the TP policy like it does for IPS ThreatCloud Protections. IPS Core Protections are definitely a bit odd in how you handle them, hence the use of the term "no-man's land" above. 🙂
Tue 16 Dec 2025 @ 05:00 PM (CET)
Under the Hood: CloudGuard Network Security for Oracle Cloud - Config and Autoscaling!Thu 18 Dec 2025 @ 10:00 AM (CET)
Cloud Architect Series - Building a Hybrid Mesh Security Strategy across cloudsTue 16 Dec 2025 @ 05:00 PM (CET)
Under the Hood: CloudGuard Network Security for Oracle Cloud - Config and Autoscaling!Thu 18 Dec 2025 @ 10:00 AM (CET)
Cloud Architect Series - Building a Hybrid Mesh Security Strategy across cloudsThu 08 Jan 2026 @ 05:00 PM (CET)
AI Security Masters Session 1: How AI is Reshaping Our World