This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ihenock101
Collaborator
‎2023-03-10 03:44 AM

Threat Prevention Policy

Hi All,

I have a  Checkpoint Firewall and with Threat Prevention policy configured on it. The policy is attached in the image for your review. When the confidence level is high and medium, the policy will prevent the threat. If the confidence level is low, the policy will detect threats. I noticed that even though the log severity and confidence levels are high, it is still in detect mode. Is there any particular reason for this? It would be helpful to understand what could be causing this issue so I can take the necessary steps to resolve it. This allows us to further investigate potential threats before they cause any damage.

Best Regards

Preview file
26 KB
Preview file
72 KB
0 Kudos
15 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-03-10 03:59 AM

Which version is the Gateway, R80.40?

CCSM R77/R80/ELITE
0 Kudos
ihenock101
Collaborator
‎2023-03-10 04:16 AM
In response to Chris_Atkinson

@Chris_Atkinson r80.40

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-10 05:34 AM
In response to ihenock101

Are you able to share more of the detect log card screenshot (you can redact sensitive parts)?

Refer also:

sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot

sk178804: Malware DNS Trap protection in R81 and higher generates "Prevent" logs

CCSM R77/R80/ELITE
0 Kudos
svori
Collaborator
Collaborator
‎2023-03-10 04:02 AM

In the gateway/cluster object and IPS ”Tab” you can choose to Detect or According to policy.

If it is set to Detect it will override policy setting.

Check that setting.

ihenock101
Collaborator
‎2023-03-10 04:15 AM
In response to svori

@svori It is According to the policy is selected

svori
Collaborator
Collaborator
‎2023-03-10 05:00 AM
In response to ihenock101

Right, not sure what the issue can be but you could also verify that correct TP profile is being installed on the gateway.

Example command:

gw1> ips stat
IPS Status: Enabled
Active Profiles:
Optimized
IPS Update Version: 635231619
Global Detect: Off
Bypass Under Load: Off

 

the_rock
Legend
Legend
‎2023-03-10 05:19 AM
In response to ihenock101

If thats the case and you use "optimized" profile, you may want to confirm all this with TAC. I had never seen this sort of problem in my 2 labs (R81.10 and R81.20) or any customers' environment.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-03-10 06:23 AM

Just to make sure the correct policy is applied, the log should also state which Profile was used.

On the Security Gateway run fw stat -b AMW to see exactly what Threat Prevention policy ins installed.

the_rock
Legend
Legend
‎2023-03-10 06:33 AM
In response to Tal_Paz-Fridman

Never knew of that command, tx a lot 🙌

0 Kudos
ihenock101
Collaborator
‎2023-03-10 06:45 AM
In response to Tal_Paz-Fridman

@Tal_Paz-Fridman  When I use fw stat -b AMW the command, is the optimized policy I was using supposed to display?

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-03-10 06:48 AM
In response to ihenock101

It will show the name of the Policy Package that is installed on the Gateway (the last line in the output).

For example:

Policy: PolicyPackage1 Thu Mar 9 11:09:53 2023 (traditional=0)

 

traditional=0 means it is not Autonomous Threat Prevention

The ips stat command shown previously will show which IPS Profile is used.

the_rock
Legend
Legend
‎2023-03-10 07:31 AM
In response to ihenock101

I believe Tal is correct, only ips stat will show you actual profile assigned for threat prevention. However, I have question for @Tal_Paz-Fridman . So, below is output of those commands on R81.20 (jumbo take 8 in my lab). Traditional=1 is there, but Im NOT using autonomous policy...thoughts?

Andy

 

[Expert@quantum-firewall:0]# fw stat -b AMW
Anti Bot: Disabled (network signatures=0 behavioral=0)
Anti Virus: Disabled (network signatures=0 behavioral=0)
IPS: Enabled (use "ips stat")
Threat Emulation: Disabled
Threat Extraction: Disabled
Mail policy: Off
Zero Phishing: Off
files: http=0 ftp=0 smb=0 smtp=0 pop3=0
more: fileapp_ctx_enabled=0 ifi=1 http_dynamic_enabled=0 icap_server_enabled=0 min_severity=2 min_confidence=0
Policy: LAB-POLICY Thu Mar 9 13:59:59 2023 (traditional=1)
[Expert@quantum-firewall:0]# ips stat
IPS Status: Enabled
Active Profiles:
QUANTUM-IPS-PROFILE
IPS Update Version: 635231619
Global Detect: Off
Bypass Under Load: Off
[Expert@quantum-firewall:0]#

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-03-11 03:28 AM
In response to the_rock

Please check the Security Gateway object (for example in SmartConsole) to see what is enabled on it.

0 Kudos
yalmog
Employee
Employee
‎2023-03-10 09:43 AM

It works as expected.

New (not in cache) dns requests are checked in background so they are not "prevented", but the verdict will probably arrive fast enough to "prevent" the follow-up http/s connection

ihenock101
Collaborator
‎2023-03-11 12:22 AM
In response to yalmog

Thanks all I have created TAC and I will let you know once we figured out what the reason behind and Thanks for your support .

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events