Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NeilDavey
Collaborator
Jump to solution

IPS Updates for Optimized Profile

I have started to use the Optimized Profile for my IPS, however I have noticed protections that should be enabled according to the Check Point IPS Update email, yet its actually inactive.

Please see example.

Advantech WebAccess SCADA Stack-based Buffer Overflow
(CVE‑2019‑3975: CVE‑2019‑3951) should be set as activated but has not been.

Anyone know why this would be case and how I could fix this?

 

 

0 Kudos
1 Solution

Accepted Solutions
NeilDavey
Collaborator

Thought I would reply with the the reply from TAC incase anyone was interested:

This is indeed the thing I was planning to check on the Protections. Optimized profile does not automatically enable Protection under "Product Prevalence - Scarce", only Common, as to not impact Firewall productivity with a load.
"Strict" Profile is the one that has all protection enabled by default.
You can either switch to Strict profile or re-configure Optimized profile (by cloning it).

I also raised the question about why on the IPS News Emails sometimes the Protections are ticked or not next to the relevant Protection/Profile and this was the reason:

I reached people responsible for this email feed, and the 'tick' on the Profile does not mean the Protection is enabled by default - those configurations are to be done by user on SmarConsole. Note that "tick' is also on Basic Profile, which has less amount of Prevent by default.
As to what 'tick' means exactly, unfortunately I cannot say.

Hope this helps anyone else if they were interested.

 

View solution in original post

6 Replies
Martin_Valenta
Advisor

New protections are not included right after they have been announced.

Try to check on Profile if IPS > Updates is set to Active or not for "Newly Updated protections"

 

0 Kudos
NeilDavey
Collaborator

Thanks for the comment but that's not the case.

My setting is the same as yours:

Newly downloaded protections will be set to - Active - According to profile settings

From my screenshots, the other 2 IPS protections are set according to the policy but one of them isn't.

Looking at the 2 High ones, 1 is set and 1 isn't.  They are the same on Performance Impact, Severity and Confidence Level so they should both be set as Active but my policy decides to leave one as inactive and I can't see a reason why.

I have others as well but only raised this now to see if anyone else can see a reason as to why.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I would ask TAC for an explanation !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Shiran_Gold
Employee
Employee

Hey,

 

This protection is not a part of Optimized profile as it does not have "Product Prevalence: Common" tag.

optimized.PNG

 

 

 

 

 

Thanks

Shiran

NeilDavey
Collaborator
Thanks for the suggestion.

I have a TAC call open now and have sent some screenshots for investigation.

However, this wouldn't make sense to me if it is the the case. The IPS News emails, state the Protection Name and whether it is enabled on the relevant R80 Profile (Optimized or Strict).

If it has a tick next to it on the email notification then it should be enabled on IPS for Check Point as this is a builtin profile that cannot be changed.

If its because of the Protection not having (Product Prevalence - Common) on the protection , then it shouldn't say enabled on the IPS emails.

I will see what TAC suggest on this.
0 Kudos
NeilDavey
Collaborator

Thought I would reply with the the reply from TAC incase anyone was interested:

This is indeed the thing I was planning to check on the Protections. Optimized profile does not automatically enable Protection under "Product Prevalence - Scarce", only Common, as to not impact Firewall productivity with a load.
"Strict" Profile is the one that has all protection enabled by default.
You can either switch to Strict profile or re-configure Optimized profile (by cloning it).

I also raised the question about why on the IPS News Emails sometimes the Protections are ticked or not next to the relevant Protection/Profile and this was the reason:

I reached people responsible for this email feed, and the 'tick' on the Profile does not mean the Protection is enabled by default - those configurations are to be done by user on SmarConsole. Note that "tick' is also on Basic Profile, which has less amount of Prevent by default.
As to what 'tick' means exactly, unfortunately I cannot say.

Hope this helps anyone else if they were interested.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events