Re: Threat Prevention Policy

ihenock101 · ‎2023-03-10

Hi All,

I have a Checkpoint Firewall and with Threat Prevention policy configured on it. The policy is attached in the image for your review. When the confidence level is high and medium, the policy will prevent the threat. If the confidence level is low, the policy will detect threats. I noticed that even though the log severity and confidence levels are high, it is still in detect mode. Is there any particular reason for this? It would be helpful to understand what could be causing this issue so I can take the necessary steps to resolve it. This allows us to further investigate potential threats before they cause any damage.

Best Regards

Chris_Atkinson · ‎2023-03-10

Which version is the Gateway, R80.40?

CCSM R77/R80/ELITE

ihenock101 · ‎2023-03-10

@Chris_Atkinson r80.40

Chris_Atkinson · ‎2023-03-10

Are you able to share more of the detect log card screenshot (you can redact sensitive parts)?

Refer also:

sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot

sk178804: Malware DNS Trap protection in R81 and higher generates "Prevent" logs

CCSM R77/R80/ELITE

nooni · ‎2023-03-10

In the gateway/cluster object and IPS ”Tab” you can choose to Detect or According to policy.

If it is set to Detect it will override policy setting.

Check that setting.

ihenock101 · ‎2023-03-10

@nooni It is According to the policy is selected

nooni · ‎2023-03-10

Right, not sure what the issue can be but you could also verify that correct TP profile is being installed on the gateway.

Example command:

gw1> ips stat
IPS Status: Enabled
Active Profiles:
Optimized
IPS Update Version: 635231619
Global Detect: Off
Bypass Under Load: Off

the_rock · ‎2023-03-10

If thats the case and you use "optimized" profile, you may want to confirm all this with TAC. I had never seen this sort of problem in my 2 labs (R81.10 and R81.20) or any customers' environment.

Best,
Andy

Tal_Paz-Fridman · ‎2023-03-10

Just to make sure the correct policy is applied, the log should also state which Profile was used.

On the Security Gateway run fw stat -b AMW to see exactly what Threat Prevention policy ins installed.

the_rock · ‎2023-03-10

Never knew of that command, tx a lot 🙌

Best,
Andy

ihenock101 · ‎2023-03-10

@Tal_Paz-Fridman When I use fw stat -b AMW the command, is the optimized policy I was using supposed to display?

Tal_Paz-Fridman · ‎2023-03-10

It will show the name of the Policy Package that is installed on the Gateway (the last line in the output).

For example:

Policy: PolicyPackage1 Thu Mar 9 11:09:53 2023 (traditional=0)

traditional=0 means it is not Autonomous Threat Prevention

The ips stat command shown previously will show which IPS Profile is used.

the_rock · ‎2023-03-10

I believe Tal is correct, only ips stat will show you actual profile assigned for threat prevention. However, I have question for @Tal_Paz-Fridman . So, below is output of those commands on R81.20 (jumbo take 8 in my lab). Traditional=1 is there, but Im NOT using autonomous policy...thoughts?

Andy

[Expert@quantum-firewall:0]# fw stat -b AMW
Anti Bot: Disabled (network signatures=0 behavioral=0)
Anti Virus: Disabled (network signatures=0 behavioral=0)
IPS: Enabled (use "ips stat")
Threat Emulation: Disabled
Threat Extraction: Disabled
Mail policy: Off
Zero Phishing: Off
files: http=0 ftp=0 smb=0 smtp=0 pop3=0
more: fileapp_ctx_enabled=0 ifi=1 http_dynamic_enabled=0 icap_server_enabled=0 min_severity=2 min_confidence=0
Policy: LAB-POLICY Thu Mar 9 13:59:59 2023 (traditional=1)
[Expert@quantum-firewall:0]# ips stat
IPS Status: Enabled
Active Profiles:
QUANTUM-IPS-PROFILE
IPS Update Version: 635231619
Global Detect: Off
Bypass Under Load: Off
[Expert@quantum-firewall:0]#

Best,
Andy

Tal_Paz-Fridman · ‎2023-03-11

Please check the Security Gateway object (for example in SmartConsole) to see what is enabled on it.

yalmog · ‎2023-03-10

It works as expected.

New (not in cache) dns requests are checked in background so they are not "prevented", but the verdict will probably arrive fast enough to "prevent" the follow-up http/s connection

ihenock101 · ‎2023-03-11

Thanks all I have created TAC and I will let you know once we figured out what the reason behind and Thanks for your support .

Are you a member of CheckMates?

Threat Prevention Policy