Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_C1
Advisor

Threat Prevention Rule matching, once more

Hi everyone,

 

I'm about 90% there with my understanding of rule matching with Threat Prevention layers, but have one specific question:

Assume I have one Threat Prevention layer with two rules

Rule 1:
Protected Scope: Network A
Enabled Blade: IPS

Rule 2:
Protected Scope: Network A
Enabled Blade: Anti-Bot

I would separate like this because I may want different match settings for each blade (e.g. for Activation Mode for IPS, have "Prevent" for only High Confidence and "Detect" for Medium and Low Confidence; for Activation Mode in Anti-Bot, have "Prevent" for High and Medium Confidence).

Question: If traffic matches a signature in Rule 1, but the signature is in "Detect" Mode (it is a Low Confidence IPS signature) would it also be inspected in Rule 2? In this case, would the only way the traffic would be inspected by Anti-Bot would be to have a separate Ordered Layer for Anti-Bot?

Thanks,

Dave

0 Kudos
2 Replies
Timothy_Hall
Champion
Champion

Rule 1 will be matched against the Network A Protected Scope and only IPS will be applied, rule 2 will not be matched as you can only match one TP rule per individual TP layer.

If you take rule 2 out of that TP layer and put in a new, separate TP layer then yes both rules would be matched and the most restrictive action applied, unless an exception exists.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
David_C1
Advisor

Thank you,

That's what I expected, but wanted to confirm.

Dave

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events