This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cdav
Collaborator
a month ago
Jump to solution

Threat Prevention Rule/Profile Matching

I have a custom threat policy with three rules defined for IDS purposes - no prevent. The rules have 3 different threat profiles:

  • one for high performance impact and below,
  • one for medium performance impact and below
  • one for low/very low performance impact.

Each rule has a different protected scope. The high performance impact profile is at the top and the low performance impact profile is at the bottom.

In the logs I see the low performance impact rule detecting high performance impact protections.

I do not understand why. Is anyone able to advise or should I raise with TAC?

Screenshot 2025-04-17 at 08.23.55.png

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
a month ago
Jump to solution

This "Sensitive Configuration File Disclosure" protection was created very recently on 4/14/2025.  This may be a situation where the gateway automatically updated itself (if it is configured to do so), the gateway picked up this new signature in some network traffic and tried to log it, but there was a mismatch in the IPS database version between the two entities.  This can cause some rather strange logs to appear that don't always make sense.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

(1)
7 Replies
G_W_Albrecht
Legend Legend
Legend
a month ago
Jump to solution

Better ask CP TAC for help - i can not see what you are trying to achieve and how ! If different GWs should have different IPS / TP policies, i can use a different profile for each GW. You sound as if the three profiles have the same target GW...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
cdav
Collaborator
a month ago
In response to G_W_Albrecht
Jump to solution

Maybe I have misunderstood the use of threat profiles. The intention is to have different levels of inspection based on the performance impact. 

E.g dev networks could have medium or below and production networks could have high or below. Each rule has a different protected scope.

0 Kudos
PhoneBoy
Admin
Admin
a month ago
In response to cdav
Jump to solution

You understand the purpose of the Threat Profiles correctly.
TAC may be necessary to figure out why this is protection is firing.

cdav
Collaborator
4 weeks ago
In response to PhoneBoy
Jump to solution

thank you @Timothy_Hall @the_rock 

0 Kudos
the_rock
Legend
Legend
4 weeks ago
In response to cdav
Jump to solution

Always welcome!

0 Kudos
the_rock
Legend
Legend
a month ago
In response to cdav
Jump to solution

I am fairly sure you understood how threat prevention works just right. Lots of people do it exactly that way. Personally, I would try disable ips blade, push policy, re-enable, push policy again. If that doe snot fix it, would open TAC case.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
a month ago
Jump to solution

This "Sensitive Configuration File Disclosure" protection was created very recently on 4/14/2025.  This may be a situation where the gateway automatically updated itself (if it is configured to do so), the gateway picked up this new signature in some network traffic and tried to log it, but there was a mismatch in the IPS database version between the two entities.  This can cause some rather strange logs to appear that don't always make sense.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events