I'm looking for some help with the following, we had a scan event on one of our SFTP edges, which uses the Check Point as it's gateway. No data exfiltration or lateral movement has been detected.
Below an example of scan in question:
We are looking for a possible solution on this, something like adding a dynamic blacklist, or "timeout". For example if an IP has 3+ IPS protect triggers within 5 minutes, it is automatically added to a blacklist for 7 days or indefinitely.
I'm not aware if the IPS module is able to perform such operation and as a possible solution we are considering to get a license for Smart Event, and get something like the below config:
If you have any other ideas that would be much appreciated.