Enis Dunic

IPS protection set to detect from prevent after update

Discussion created by Enis Dunic on Jun 27, 2018
Latest reply on Jun 28, 2018 by Tomer Sole

Hi,

 

This is probably logical but may sometimes surprise you or lead to unwanted action for a IPS protection. Here is the case for "Apache Struts2 Content-Type Remote Code Execution" protection.

 

This attack protection was released in 07/03/2017 and updated 03/06/2018. The protection action was set to Prevent before the update date. Now since a new update on that protection happened on 03/06/2018 it was set to Detect because of the stage mode. Since you could have installed both "Access control" and "Threat Prevention" for a policy without clearing the stage mode, or a colleague of your IT-team the action is now set to Detect even if it was previously set to Prevent.

 

Proof of this: Notice the date after 02/06/2018 that it's set to Detect

 

I wish that an update of a protection that was set to Prevent remains like that even if there is a new update of that same protection. What do you guys think about this? 

 

Check Point software does not use the Apache Struts 2.X, therefore Check Point software is not vulnerable to any Apache Struts 2 vulnerability. But it could have been something that could affect your system. 

Outcomes