Tomer Sole

How to export and import IPS profiles and their overridden protections in R80.10

Discussion created by Tomer Sole Expert on Sep 27, 2018
Latest reply on Sep 27, 2018 by Tomer Sole

Prior to R80, there was a closed-source tool by Check Point called export_import_profile.

Starting with R80:

1. The back-end representation of profiles and protections has changed, so the tool is no longer supported.

2. The open API enable any customer to make their own export and import operations.

 

 

Step 1: On the source machine, export the specific Threat Prevention Profile

The show threat-profile command returns a structure of the profile's settings.

Example:

show threat-profile name MyOrganization details-level full

 

uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61"

name: "MyOrganization "

type: "threat-profile"

domain:

  uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"

  name: "Check Point Data"

  domain-type: "data domain"

active-protections-performance-impact: "medium"

active-protections-severity: "Medium or above"

confidence-level-low: "Inactive"

confidence-level-medium: "Prevent"

confidence-level-high: "Prevent"

ips: true

ips-settings:

  newly-updated-protections: "staging"

  exclude-protection-with-performance-impact: false

  exclude-protection-with-severity: false

threat-emulation: true

anti-virus: true

anti-bot: true

 

 

 

Step 2: On the source machine, export IPS Protections which had their action override for this specific Threat Prevention Profile

This part is a little tricky - you have to go over all protections, and only pick the ones that have a different action for your profile. 

The show threat-protections command returns the protections.  

There is no way to get all the IPS Protections as one response, since that would make the output so big it will fail to return. Therefore we have to use the "offset" parameter to advance and get 50 protections every time. 

In the example below, the first protection just happened to have an override action for the "MyOrganization" profile. The second protection did not have an override action for the "MyOrganization" profile.

Example:

show threat-protections offset 0 details-level full

protections:
- uid: "8027f5c8-1bac-cf49-99a3-59a89a35cdb6"
name: "3Com Network Supervisor Directory Traversal"
type: "threat-protection"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
severity: "High"
confidence-level: "Medium"
performance-impact: "Low"
release-date: "20091124"
update-date: "20091124"
profiles:
- name: "Basic"
uid: "eb39a60d-c454-49f5-a28c-a89aa5bd2e09"
default:
action: "Inactive"
track: "log"
capture-packets: false
final:
action: "Inactive"
track: "log"
capture-packets: false
- name: "Strict"
uid: "caf8b711-d762-4c1e-82d5-6af2549b2869"
default:
action: "Prevent"
track: "log"
capture-packets: false
final:
action: "Prevent"
track: "log"
capture-packets: false
- name: "MyOrganization"
uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61"
default:
track: "log"
capture-packets: false
override:
action: "Prevent"
track: "log"
capture-packets: false
final:
action: "Prevent"
track: "log"
capture-packets: false
comments: ""
follow-up: false
ipsAdditionalProperties:

 

...
name: "3Com TFTP Server Transporting Mode Remote Buffer Overflow"
type: "threat-protection"
- name: "MyOrganization"
uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61"
default:
action: "Inactive"
track: "log"
capture-packets: false
final:
action: "Inactive"
track: "log"
capture-packets: false

 

 

...

 

Step 3: On the target machine, create the new profile.

The add threat-profile command creates a new Threat Prevention Profile.

You have to convert the output from step 1 to a command-line with the values.

Example:

add threat-profile name MyOrganization active-protections-performance-impact "medium" active-protections-severity "Medium or above" confidence-level-low "Inactive" confidence-level-medium "Prevent" confidence-level-high "Prevent" ips true ips-settings.newly-updated-protections "staging" ips-settings.exclude-protection-with-performance-impact false ips-settings.exclude-protection-with-severity false threat-emulation true anti-virus true anti-bot true

 

 

Step 4: On the target machine, set protection actions for the specific protections that were exported at step 2.

The set threat-protection command lets you change the action of the protection for a given profile.

Example:

set threat-protection name "3Com Network Supervisor Directory Traversal" overrides.1.profile MyOrganization overrides.1.action Prevent 

Outcomes