Greetings,

I would love to know how people are tuning their IPS policy regarding "false positives." Creating narrow exceptions isn't all that difficult, but how do you determine if you are creating expectations for something that IPS should drop?

In my experience, most firewall administrators will activate their intended level of Threat Prevention Protection, going straight into Prevent Mode, a mix of Prevent and Decect, or Detect only for a while and use the logs to create exceptions.

But every time I look at the list of Global Exceptions, most firewall administrators have trouble explaining their exceptions. It seems that most take the path of least resistance approach. They toss everything that breaks into an exception and call it a day.

This makes sense from a usability point of view, but it's not ideal from a security point of view.

But what tools do we have to determine if something is a "false positive" or not?

Many customers claim that Palo Alto has far fewer "false positives" than Check Point. To test this, I created a Palo Alto PanOS 11.1.2 LAB at home and routed my network through a PanOS VM-series firewall. I usually have it running through a virtual Check Point Gateway. Surprisingly, even running PanOS with IPS in "Strict" didn't cause any issues.

My profile on Check Point Is based on "Optimised", where I have tuned it somewhat by changing it from Medium or Lower on Performance Impact to High or Lower, and instead of having Low Confidence to Inactive instead of Detect.

This was causing some immediate issues, such as Xbox Software updates not working:

Attack Name: Content Protection Violation
Attack Information: Microsoft Media Player BMP file handling buffer overflow (MS06-005)
Protection Name: Microsoft Media Player BMP File Handling Buffer Overflow (MS06-005)
Protection ID: asm_dynamic_prop_wmp
Severity: High
Confidence Level: High
Industry Reference: CVE-2006-0006
Performance Impact: Low
Protection Type: IPS
Description URL: wmp_help.html
Type: Log
Blade: IPS
Origin: external
Product Family: Threat
Lastupdateseqnum: 1
Interface Direction: inbound
Service ID: http
Source Port: 49705
Destination Port: 80
IP Protocol: 6
Session Identification Number:0x65f74f5f,0x3,0x569966d7,0xc1af8946
Policy Rule UID: 9f887ba5-72f7-469b-aecf-980de623d8ff
Threat Prevention Rule ID: 994AB773-A030-41C4-B943-459470D0CE66
Reject ID Kid: 65f74f5f-2-569966d7-c1af8946
Member Id: 1_1
Action: Prevent
Service: TCP
Resource: http://assets1.xboxlive.com/14/8c500d02-8908-4a45-b423-5d8650f3f155/bootrb.bin
Suppressed Logs: 4
Sent Bytes: 0
Received Bytes: 528
Tags: Vendor_MS, Product_Media_Player, Threat_Year_2006, Threat_Prevalence_True, CVSS_9_3, Protection_Type_Vulnerability, Vul_Type_Buffer_Overflow, Product_Prevalence_Common, Tuning_Configurable, File_Type_BMP, Protocol_HTTP, Direction_CLIENT
Bytes (sent\received): 0 B \ 528 B

I won't necessarily say this makes Palo Alto "better". It all comes down to whether this is indeed a "false positive" or not. I find it strange that Palo Alto, even running "Strict", does not react to this, while Check Point labels it as Severity: High, Confidence Level: High. It seems odd for Microsoft to run Xbox system updates in a way that would legitimately trigger IPS protections.

In this scenario, I would consider it a "false positive" based on legitimate Microsoft traffic, Xbox system updates from an Xbox Series X with the resource being "assets1.xboxlive.com". I feel very confident about creating an exception for this traffic.

But I don't know if this traffic is a "false positive" from Check Point or if something about this traffic should indeed trigger the "Microsoft Media Player BMP file handling buffer overflow (MS06-005)" protection.

How would you usually treat and react to IPS protections like this? Would you consider it beneficial or negative for Check Point to seem more aggressive with its IPS protections compared to competitors like Palo Alto?