Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ilmo_Anttonen
Collaborator
Jump to solution

Why does IPS protections set to Prevent show Detect in log?

IPS logs show only detect on protections which have action prevent on newly activated IPS blade.

The Access control policy drops this traffic destined to the external IF of the gateway, is this the reason for detect only action? I thought IPS policy was read before the access control policy. Am I missing something here?

1 Solution

Accepted Solutions
18568
Collaborator

Your gateway is probably in "detect-only" mode:

View solution in original post

0 Kudos
7 Replies
18568
Collaborator

Your gateway is probably in "detect-only" mode:

0 Kudos
Ilmo_Anttonen
Collaborator

Indeed it's in 'detect only' mode. I actively decided to put new activations in staging mode so that I can check what updates do before i deploy them. I only help out this customer once a week so I wouldn't be able to deal with false positives on other days. So I thought that 'detect only' mode reflected that new activations go into staging.

But, I thought this would only affect future updates. When I check my IPS protections, there are none in staging mode. This is what puzzled me.

I'll change to 'According to Threat Prevention policy' instead! That shouldn't untick the staging box under updates I suppose.

Thanks to both of you Benjamin and Günther!

0 Kudos
G_W_Albrecht
Legend Legend
Legend

By default in most IPS Profiles, newly–downloaded ThreatCloud IPS Protections are set to Detect via “Staging Mode”. IPS Protections in Staging Mode are in a provisional mode and will not start preventing traffic until configured to do so by an administrator.

This is from Timothy Hall and found here https://community.checkpoint.com/thread/10122-another-smartconsole-usability-issue 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
John_Richards
Contributor

Having an issue with IPS that is similar, and mode is According to the Profile. The threat should be prevented but is not. The profile is circled in red (prevent) but we get a Detect.

 

Capture.JPG

0 Kudos
Timothy_Hall
Legend Legend
Legend

Is the mode set to Background (Rapid Delivery) on the APCL/URLF Filtering Settings & Threat Prevention Engine Settings screens under Manage & Settings...Blades in the SmartConsole?

Also are you sure in that log card it matched against the ...Optimized-Prevent profile?  Can't see that in your screenshot.

Also do you have the IPS bypass feature enabled?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
John_Richards
Contributor

Yes, background is the Website categorization mode. Not sure what that would have to do with IPS?

Yes, is going against the Optimized Prevent and have a open TAC case as well and they confirmed.

Yes, Bypass IPS inspection when gateway is under heavy load is checked.  Below are all the actions taken on the Web Server Enforcement Violation. Some detect and others prevent on the same policy and exact same IPS protection

 

Capture.JPG

0 Kudos
Timothy_Hall
Legend Legend
Legend

Those logs can't all be for one IPS protection, as the severity and confidence rankings are different on different lines.

I assume you have checked for any rule-based or global exceptions.  Also look in the matching TP profile under IPS...Additional Activation and check what is configured there, although normally this would Inactivate a protection and not set it to Detect.

Beyond that I'll need to see the full log card for a Prevent and another one for Detect on the same IPS signature, and your TP policy containing the rule matching this traffic.  You can PM it to me if you wish.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events