This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
starmen2000
Advisor
Advisor
‎2024-02-14 08:07 AM
Jump to solution

IPS Core Inspection and Custom Policy Exception Rule

Hi Mates,

 

Quick question,  What is the difference between adding an exception rule in Shared Policies->Inspection Settings->add exception and  Threat Prevention -> Custom Policy-> Add exception

 

Thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2024-02-15 05:08 AM
Jump to solution

There are really 3 kinds of what most administrators would consider IPS Protections or "Signatures", each with their own separate exception mechanism.  Adding an exception in one of these categories will not impact the other two.  Trying to manually add an exception in one of these three categories will almost always be in the wrong one and not do what you want, so the recommendation is to add them by clicking the "Add Exception..." hyperlink in the log card which will always take you to the correct exception category:

1) Inspection Settings - part of Access Control/Firewall blade and enforces secure protocol behavior (146 fixed items)

2) IPS ThreatCloud Protections - Typical IPS blade protections that look for a certain known exploit, and can be updated and added onto with updates from the ThreatCloud (12,800+ items)

3) IPS Core Activations - 39 special signatures that for technical reasons straddle Access Control and Threat Prevention and can be notoriously difficult to deal with (39 fixed items)

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

View solution in original post

4 Replies
the_rock
Legend
Legend
‎2024-02-14 08:26 AM
Jump to solution

Inspection Settings - General

What can I do here?

Use this window to view Threat Prevention protections and their settings.

For configuring individual inspections, see: Inspection Settings

the_rock_0-1707927767930.png

 

Getting Here - Manage & Settings > Blades > General > Inspection Settings > General

 

Inspection Settings

You can configure inspection settings for the Firewall:

  • Deep packet inspection settings

  • Protocol parsing inspection settings

  • VoIP packet inspection settings

The Security Management Server

the_rock_1-1707927767978.gif

 

 comes with two preconfigured inspection profiles for the Firewall:

  • Default Inspection

  • Recommended Inspection

When you configure a Security Gateway

the_rock_2-1707927767979.gif

 

, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

To activate the Inspection Settings, install the Access Control Policy.

Note - In a pre-R80 SmartConsole

the_rock_3-1707927767980.gif

 

, Inspection Settings are configured as IPS

the_rock_4-1707927767980.gif

 

 Protections.

 

*****************************************************************

Exception is more to do with omitting, if you will, specific subnet/group from being "checked" or exempted from specific IPS or av/ab blades protections

 

Thats at least how I understand it, but if Im wrong, Im sure someone will correct me 🙂

Best,

Andy

 

0 Kudos
starmen2000
Advisor
Advisor
‎2024-02-14 12:00 PM
In response to the_rock
Jump to solution

It looks complicated, but if I want to make an exception for ISP, do I need to do it in Custom policy - add exception rule or shared policy - inspection settings - add exception?

0 Kudos
the_rock
Legend
Legend
‎2024-02-14 12:27 PM
In response to starmen2000
Jump to solution

Its its strictly IPS, then you do it from custom policy field. The inspection stuff is mostly for deep packet inspection, I would say. Thats what I remember from old says, even R55 version. It was way different of course, but same principle.

Best,

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-02-15 05:08 AM
Jump to solution

There are really 3 kinds of what most administrators would consider IPS Protections or "Signatures", each with their own separate exception mechanism.  Adding an exception in one of these categories will not impact the other two.  Trying to manually add an exception in one of these three categories will almost always be in the wrong one and not do what you want, so the recommendation is to add them by clicking the "Add Exception..." hyperlink in the log card which will always take you to the correct exception category:

1) Inspection Settings - part of Access Control/Firewall blade and enforces secure protocol behavior (146 fixed items)

2) IPS ThreatCloud Protections - Typical IPS blade protections that look for a certain known exploit, and can be updated and added onto with updates from the ThreatCloud (12,800+ items)

3) IPS Core Activations - 39 special signatures that for technical reasons straddle Access Control and Threat Prevention and can be notoriously difficult to deal with (39 fixed items)

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events