Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
s_milidrag
Participant
Participant

IPS Core protection - I need help to better understand

Dear team,

I need your help to better understand IPS Core protections.

I found in documentation:

  • IPS Core protections - These protections are included in the product and are assigned per gateway. They are part of the Access Control policy.

Why is that ? 

If IPS Core protections are assigned globally (per gateway), why in Signature I have option to change/assigned different IPS profile to gateway ? 

What will be if I assign here TP profile that is different than Optimized ?

Please see the attached picture.

BR,

Slobodan

SM
15 Replies
Pedro_Espindola
Advisor

Hello Slobodan

Core protections are some general protections that aren't necessarily related to specific software or product vulnerabilities.

They are assigned globally, which means that when you click a signature you will enter the "Core protections" window shown in your screenshot and will change the profile for all core protections. This won't affect the ThreatCloud protections profile, which is assigned in the IPS rules tab.

PhoneBoy
Admin
Admin

IPS Core Protections are the Inspection Settings.

Previously these were configured as part of IPS but they were separated in R80.

See also: https://community.checkpoint.com/message/6307-where-did-all-my-ips-protections-go?sr=search&searchId...

Tomer_Sole
Mentor
Mentor

Actually, IPS Core Protections and Inspection Settings are 2 different things although both installed with Access Control. I wrote about it at https://community.checkpoint.com/thread/5159-where-did-all-my-ips-protections-go 

0 Kudos
PhoneBoy
Admin
Admin

It would be less confusing if they were listed as part of Inspection Settings, IMO.

Douglas_Zan
Explorer

In my opinion this is very confusing. Is there any reason for this Core Protections to be assigned as a different profile in the Gateway?

Any change is being considered on future versions?

0 Kudos
PhoneBoy
Admin
Admin

By separating them from IPS protections, it's clear:

  • These protections aren't actually IPS protections (they were just lumped with IPS protections in R70-R77.x)
  • These protections do not require an IPS license to use (because they are actually enforced in the Firewall, not IPS)
  • An Access Policy (Firewall) policy push is required to make changes to the configuration

As far as I know, there are no plans to change this. 

0 Kudos
Marques_Harrell
Employee Alumnus
Employee Alumnus

Hey Dameon,

I understand Core Protections and Inspection Settings are both enforced in the firewall and applied with Access Policy, but what differentiates them from Threat Cloud protections? From what I can tell, it appears that Inspection Settings deal with network packets that are not exhibiting 'normal' behavior but Core Protections have CVE reference numbers similar to Threat Cloud protections so that's where I'm a bit lost in understanding the difference.

0 Kudos
Timothy_Hall
Champion
Champion

As described in my IPS class, Core Protection/Activations are protections that are in a bit of a "no man's land" between Inspection Settings and IPS ThreatCloud protections.  The only clarification I've been able to get about why Core Protections are handled like this is for "technical reasons".  I suspect that one of the technical reasons was the ability to use Protected Servers definitions to more precisely control which defined servers would have these Core Activations applied to them.  The Protected Servers mechanism is obsolete in R80.10+ due to the ability to apply different IPS profiles to the same gateway with separate Threat Prevention rules.  Another reason might be that they are not typically just set to Prevent/Detect/Inactive and have various individual adjustments under a "See Details..." link; and also that exceptions must be added for each Core Protection individually.  You can't add a single exception rule for a group of Core Activations or for "Any" of them.

Most of the Core Activations look like they belong under Inspection Settings to me since they are looking for various network protocol weaknesses.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Marques_Harrell
Employee Alumnus
Employee Alumnus

Thank you Tim, that is helpful

Timothy_Hall
Champion
Champion

Note that Geo Protection (now called "Geo Policy" in R80+ management) was also separated from the IPS blade and has its own profile assignments per gateway.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

And in R80.20, you can do Geo rules in the regular Access Policy Smiley Happy

Timothy_Hall
Champion
Champion

> And in R80.20, you can do Geo rules in the regular Access Policy 

How is this done in R80.20?  Can't seem to find it...

Using GEO Location Objects in Firewall Policy (with Dynamic Objects), brilliant as it is, doesn't count.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

Click on the + in the Source/Destination field of a rule.

Select Import > Updatable Objects.


You can find updatable objects for:

  • AWS Services
  • Office 365
  • Country Objects

Timothy_Hall
Champion
Champion

Because Geo Policy can now be implemented directly in the Network Policy Layer (among others) using updatable objects in R80.20 management, I assume these can be applied via policy to the Gaia Embedded appliances models 1100-1400 running R77.20.XX?  There has been a longstanding limitation that these models do not directly support the separate Access Control Geo Policy/Protection feature (which I assume still applies in R80.20), but using these updatable objects as shown above appears to be a way to achieve the same effect on these models via the main Access Control policy layers.  Is my assumption correct Dameon Welch-Abernathy‌?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

This feature requires R80.20 gateway support as the updating of these objects occurs on the gateway.

Which means the SMB appliances do not support this functionality currently.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events