Is there a new way to handle IPS protection updates?
several additions to the IPS Protections page for R80.10 (currently available in EA through Check Point User Center):
- Logs for all protections in current filter: When you filter the protections, you can select to see logs for all the given protections by the filter. Available from either the toolbar under "Actions", or from the logs bottom pane by clicking "Show logs for all protections in this view". This can be used to see logs for all protections marked as staging which, as some of you mentioned, is a gap closure from R77.30. Logs for IPS Protections in staging is also available from the SmartLog or SmartEvent queries tree.
Your feedback is welcome.
Updated bottom pane:
IPS-related queries from Logs & Monitor:
Follow-up flags are not supported in R80. They are expected to return with new capabilities in the next releases of the Security Management - the option to have multiple categories of flags, for example.
Staging Mode takes more presence in R80. After performing an IPS Update, all new protections are in "staging mode", which is Detect, with a small icon that represents that no manual action was yet taken by the admin. The IPS Protections view has a filter "staging" on the right-side of the view.
For more on Staging IPS Protections, see What are IPS Staging Protections? And how do we clear them?
Retrieving data ...