This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2020-05-26 08:23 AM

Threat Prevention Rule matching, once more

Hi everyone,

 

I'm about 90% there with my understanding of rule matching with Threat Prevention layers, but have one specific question:

Assume I have one Threat Prevention layer with two rules

Rule 1:
Protected Scope: Network A
Enabled Blade: IPS

Rule 2:
Protected Scope: Network A
Enabled Blade: Anti-Bot

I would separate like this because I may want different match settings for each blade (e.g. for Activation Mode for IPS, have "Prevent" for only High Confidence and "Detect" for Medium and Low Confidence; for Activation Mode in Anti-Bot, have "Prevent" for High and Medium Confidence).

Question: If traffic matches a signature in Rule 1, but the signature is in "Detect" Mode (it is a Low Confidence IPS signature) would it also be inspected in Rule 2? In this case, would the only way the traffic would be inspected by Anti-Bot would be to have a separate Ordered Layer for Anti-Bot?

Thanks,

Dave

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-05-26 09:00 AM

Rule 1 will be matched against the Network A Protected Scope and only IPS will be applied, rule 2 will not be matched as you can only match one TP rule per individual TP layer.

If you take rule 2 out of that TP layer and put in a new, separate TP layer then yes both rules would be matched and the most restrictive action applied, unless an exception exists.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
David_C1
Advisor
‎2020-05-26 09:01 AM
In response to Timothy_Hall

Thank you,

That's what I expected, but wanted to confirm.

Dave

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events