cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Threat Prevention

Spaces that discuss Check Point's entire line of Advanced Network Threat Prevention solutions.

Is there SNI support for inbound HTTPS inspection in R80.20?

Hi,on gws R80.20 can I do HTTPS inspection on inbound connections that require SNI since on the server there are some virtual hosts with different certificates? If yes how? Thanks in advance 

IPS Protection filter

Hi, I want to understand what is dynamic and static IPS Protection. Also if we applied optimize profile then do basic profile still work? Thanks

IPS packet captures upload to remote servers

Is there any built-in feature, which would allow to upload IPS packet captures to remote servers and not just store them on gateways? Our SOC team is asking for storage space, where they could download those .cap/.eml files
Omer_Shliva
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 11 hours ago
views 9753 14 23
Employee+

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please contact:omersh@checkpoint.com

Re: TE Redundancy (NGTX)

Hey, Of course, we can move it. Thanks

Anti-spam and email security blade always bypassing all emails

Non spam bypassedd (Temporary scan failure)From the logs Anti-spam and email security blade always bypassing all emailsIT seems Anti spam and email security blade is not working well.

IPS Attack direction

Hi everyone,On my checkpoint 80.30 I would like to know, for a generic IPS log, which field tell me the direction of attack, in order to get who is the attacker, the pc or the server. I think that is simple for the checkpoint by looking the direction of the attack signature . Please do not confuse the session TCP/IP direcion with the attack direction.thanks a lot.Emi

It's not working Blocked Senders / Domains on AntiSpam blade.

I added someuser@domain.com. but it's still receiving email from that users.

R80.20 IPS Signature For OWASP

Dear Experts,I am looking for an IPS signature for OWASP. Can you please help me to find the IPS signature for OWASP.Regards,Rahul Borah 
Employee

'Water Torture' attack , DDoS against DNS

I dont seem to be able to find a CVE for this attack, so my question is if Check Point IPS blade can prevent these attacks? Or would that be something one would need DDoS protector? Little more info on the attack below.   Title: DNS Label-Prepending and -Substitution ('Water Torture') DDoS Attack Mitigation Recommendations for Authoritative DNS ServersNovember 4, 2019 Description: Netscout Arbor have observed a significant recent increase in the prevalence of DNS label-prepending and label-substitution attacks (also known as DNS 'Water Torture Attacks', which make use of DNS queries for nonexistent, programmatically-generated DNS records to force authoritative DNS servers for targeted organizations to both service the illegitimate DNS queries as well as generate large numbers of NXDOMAIN negative responses. The goal of the attacker in these circumstances is to overwhelm the resources of the authoritative DNS servers, thus rendering online properties of the targeted organization such as Web servers, email servers, et. al. unreachable due to failed name resolution. This is an indirect form of application-layer DDoS attack against the critical ancillary DNS name-resolution service, rather than directly attacking the applications and services running on targeted networks; if the DNS names for online resources cannot be resolved, they are effectively rendered unavailable to legitimate users.
Jeff_Gao
Jeff_Gao inside IPS, Anti-Virus, Anti-Bot, Anti-Spam a week ago
views 1682 9 1

Anti-Virus log prompt: "background classification mode was set"

Dear FW:23500     Version:R80.10       Hotfix:R80_10_JUMBO_HF_Bundle_T56_sk11638I have set hold mode,refer to screenshots below:TP configuration as follow:But the log shows as follow:Description:                  Connection was allowed because background classification mode was set. See sk74120 for more information."loop.sawmilliner.com" is a C2 and malware site,as follow:I have set classification mode to hold,why still show "background classification mode was set"Thanks!

6500 performance

Hello everyone.we are going to implemente checkpoint 6500 in our network, we have 500 users and about 250 mb/s ISP traffic, but inside the network there will be about 8gb/s traffic between vlans, we have file shares and traveling video files between networks.my question is, does 6500 appliance able to operate without any problem in my scenario? 

HTTP Inspection in R80 - HTTP 0.9 Blocked

I have been kicking this around with support for a few weeks now and hoping to see if anyone else noticed this.We have been R77.30 for years and started upgrading to R80.20.  After upgrading the Security Gateways in a test site to R80 I started noticing some blocked traffic.The request is simply "GET /"The reason info isReason: illegal header format detected: Malformed HTTP protocol name in requestInformation: illegal header format detectedName: Block HTTP Non CompliantIt is definitely blocking due to the lack of version on the end of the request "GET / HTTP/1.0".  My argument is that HTTP 0.9 while not widely used is still used by large vendors like F5 on their default health checks.Has anyone else noticed this behavior when going from R77 to R80?My issue is I do not want to add an exclusion if I can avoid it because this would disable all HTTP inspection for our load balancers until we could change any health checks and there seems to be no way to still support HTTP 0.9Did CheckPoint deprecate HTTP 0.9 without any notice?Has anyone else noticed this?

Is it possible to export a list of Inspection settings?

Hi,Is it possible to export a list of Inspection settings, as can be done with IPS protections?For IPS there is "export view" action which exports the protections and the state.Thanks 

Help on IPS Blade Log

Hi,Since I activated IPS Blade I frequently log messages like with action Accept, source from internet and destination is the outside IP of the Gateway.On the Forensics Details I get:Reason: HTTP parsing error ocurred, bypass requestAnd the Precise Error is Illegal URLSince this is reported by IPS I suspect this is a possible form of attack. Why is it allowed? I did not configure an exception ...ThanksCarlos 
In This Category
Threat Prevention Research

<p>Excerpts from <a href="https://research.checkpoint.com/" target="_blank">Check Point Research</a>.</p>

SandBlast Network

<p>This space is where you can discuss SandBlast <a href="https://www.checkpoint.com/products/advanced-network-threat-prevention/" target="_blank">Advanced Network Threat Prevention</a> for Security Gateways.</p>

IPS, Anti-Virus, Anti-Bot, Anti-Spam

<p>Your place to discuss Check Point's <a href="https://www.checkpoint.com/products/ips-software-blade/" target="_blank">Intrusion Prevention System</a>, <a href="https://www.checkpoint.com/products/anti-bot-software-blade/" target="_blank">Anti-Bot</a>, <a href="https://www.checkpoint.com/products/antivirus-software-blade/">Antivirus</a>, and <a href="https://www.checkpoint.com/products/anti-spam-email-security-software-blade/">Anti-Spam</a> solutions.

Category Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.