Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ihenock101
Collaborator

Threat Prevention Policy

Hi All,

I have a  Checkpoint Firewall and with Threat Prevention policy configured on it. The policy is attached in the image for your review. When the confidence level is high and medium, the policy will prevent the threat. If the confidence level is low, the policy will detect threats. I noticed that even though the log severity and confidence levels are high, it is still in detect mode. Is there any particular reason for this? It would be helpful to understand what could be causing this issue so I can take the necessary steps to resolve it. This allows us to further investigate potential threats before they cause any damage.

Best Regards

0 Kudos
15 Replies
Chris_Atkinson
Employee Employee
Employee

Which version is the Gateway, R80.40?

CCSM R77/R80/ELITE
0 Kudos
ihenock101
Collaborator

@Chris_Atkinson r80.40

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Are you able to share more of the detect log card screenshot (you can redact sensitive parts)?

Refer also:

sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot

sk178804: Malware DNS Trap protection in R81 and higher generates "Prevent" logs

CCSM R77/R80/ELITE
0 Kudos
svori
Contributor
Contributor

In the gateway/cluster object and IPS ”Tab” you can choose to Detect or According to policy.

If it is set to Detect it will override policy setting.

Check that setting.

ihenock101
Collaborator

@svori It is According to the policy is selected

svori
Contributor
Contributor

Right, not sure what the issue can be but you could also verify that correct TP profile is being installed on the gateway.

Example command:

gw1> ips stat
IPS Status: Enabled
Active Profiles:
Optimized
IPS Update Version: 635231619
Global Detect: Off
Bypass Under Load: Off

 

the_rock
Legend
Legend

If thats the case and you use "optimized" profile, you may want to confirm all this with TAC. I had never seen this sort of problem in my 2 labs (R81.10 and R81.20) or any customers' environment.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Just to make sure the correct policy is applied, the log should also state which Profile was used.

On the Security Gateway run fw stat -b AMW to see exactly what Threat Prevention policy ins installed.

the_rock
Legend
Legend

Never knew of that command, tx a lot 🙌

0 Kudos
ihenock101
Collaborator

@Tal_Paz-Fridman  When I use fw stat -b AMW the command, is the optimized policy I was using supposed to display?

0 Kudos
Tal_Paz-Fridman
Employee
Employee

It will show the name of the Policy Package that is installed on the Gateway (the last line in the output).

For example:

Policy: PolicyPackage1 Thu Mar 9 11:09:53 2023 (traditional=0)

 

traditional=0 means it is not Autonomous Threat Prevention

The ips stat command shown previously will show which IPS Profile is used.

the_rock
Legend
Legend

I believe Tal is correct, only ips stat will show you actual profile assigned for threat prevention. However, I have question for @Tal_Paz-Fridman . So, below is output of those commands on R81.20 (jumbo take 8 in my lab). Traditional=1 is there, but Im NOT using autonomous policy...thoughts?

Andy

 

[Expert@quantum-firewall:0]# fw stat -b AMW
Anti Bot: Disabled (network signatures=0 behavioral=0)
Anti Virus: Disabled (network signatures=0 behavioral=0)
IPS: Enabled (use "ips stat")
Threat Emulation: Disabled
Threat Extraction: Disabled
Mail policy: Off
Zero Phishing: Off
files: http=0 ftp=0 smb=0 smtp=0 pop3=0
more: fileapp_ctx_enabled=0 ifi=1 http_dynamic_enabled=0 icap_server_enabled=0 min_severity=2 min_confidence=0
Policy: LAB-POLICY Thu Mar 9 13:59:59 2023 (traditional=1)
[Expert@quantum-firewall:0]# ips stat
IPS Status: Enabled
Active Profiles:
QUANTUM-IPS-PROFILE
IPS Update Version: 635231619
Global Detect: Off
Bypass Under Load: Off
[Expert@quantum-firewall:0]#

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Please check the Security Gateway object (for example in SmartConsole) to see what is enabled on it.

0 Kudos
yalmog
Employee
Employee

It works as expected.

New (not in cache) dns requests are checked in background so they are not "prevented", but the verdict will probably arrive fast enough to "prevent" the follow-up http/s connection

ihenock101
Collaborator

Thanks all I have created TAC and I will let you know once we figured out what the reason behind and Thanks for your support .

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events