Print Download PDF Send Feedback

Previous

Next

Implementing IPS

In This Section:

Initial Installation

Collecting IPS Logs

Analyzing the Initial Logs

Configuring IPS to Protect the Network

Initial Installation

The Check Point IPS Software Blade uses thousands of protections to keep your network safe. When you set up IPS for the first time, it is impossible to run a signature analysis for each protection. While you implement IPS, you can use a mirror port or TAP server or appliance to run an analysis on the traffic. We recommend you deploy IPS in-line when you enable Protect mode.

The Recommended Profile is defined to give excellent security with good gateway performance. This profile enables all protections to:

Updating Protections

The IPS Software Blade includes the protections available when the software was first released. The first time that you enable IPS, it is important to update and download the most recent protections.

To update the IPS protections:

Note - We recommend that you select the checkbox to enable revision control before you download a new IPS update.

  1. Log in to SmartDashboard.
  2. From the navigation tree in the IPS tab, click Download Updates.

    The Download Updates window opens.

  3. Click Update Now.
  4. If necessary, enter the User Center credentials.

Cloning the Profile

Make a copy of the Recommended Profile before you start the initial IPS tuning. Make sure that all changes are only on the cloned profile. For a Multi-Domain Server deployment, we recommend that you create a separate IPS policy and perform these steps for each segment.

To clone the Recommended Profile:

  1. From the navigation tree in the IPS tab, click Profiles.

    The Profiles window opens.

  2. Right-click the Recommended_Profile and select Clone selected profile.

    The new profile is added to the list of profiles.

Configuring the Profile

For the initial analysis of the IPS inspection, configure the profile settings with Troubleshooting mode enabled.

The default action for the protections is Prevent. However, when Troubleshooting mode is enabled, the protections run in Detect. During this initial analysis, you detect security events and generate logs. IPS blocks malicious traffic only after the initial analysis and tuning is complete.

When you configure the profile:

To configure the profile:

  1. From the navigation tree in the IPS tab, click Profiles.

    The Profiles window opens.

  2. Double-click the profile.

    The General page of the Profile Properties window opens.

  3. In the IPS Mode section, select Prevent.
  4. From the navigation tree, click IPS Policy > Updates Policy.
  5. For Newly downloaded protections will be set to, select Prevent.
  6. From the navigation tree, click Troubleshooting.
  7. Click Detect-only.

    The window shows this message: Detect-Only for Troubleshooting is enabled.

  8. Click OK.

Some protections require further configuration. For example, email protections require you to configure a mail server. See Email Protections.

Scheduling IPS Updates

You can schedule periodic updates of the IPS protections based on your organization's needs and policies.

Configure the regular IPS updates for the profile. We recommend that you use all of these settings:

To schedule IPS updates:

  1. From the navigation tree in the IPS tab, click Download Updates.

    The Download Updates window opens.

  2. Click Apply Revision Control.
  3. Click Check for new updates while SmartDashboard is active.
  4. Click Scheduled Update.

    The Scheduled Update window opens.

  5. Click Enable IPS scheduled update.
  6. Click Edit Schedule
  7. Configure a daily IPS update.
  8. Click OK.
  9. If necessary, click User Center credentials, and enter the User Center username and password.
  10. Click OK.

Configuring the Security Gateway Performance Settings

When the IPS Software Blade is enabled on a Security Gateway, it can affect the network performance. We recommend that you configure the gateway to bypass IPS inspection when there is a heavy load on the server or appliance.

To configure bypass under load on the gateway:

  1. From the navigation tree in the IPS tab, click Enforcing Gateways.

    The Enforcing Gateways window opens.

  2. Double-click the gateway that runs IPS analysis on the traffic.

    The IPS page of the gateway window opens.

  3. In the Bypass Under Load section, click Bypass IPS inspection when gateway is under heavy load.
  4. Click Advanced.
  5. Change the settings for the CPU and Memory Usage:
    • Low - 50%
    • High - 80%
  6. Click OK.

Installing the Policy

Install the policy to push the IPS profile to the gateway.

Collecting IPS Logs

Install the policy with the new profile and let it run IPS analysis and generate logs for at least a week. We recommend that you wait two weeks before you disable Troubleshooting mode and enable the Prevent protections.

Note - While you run IPS analysis, all protections run in Detect mode and the gateway cannot block IPS attacks.

Analyzing the Initial Logs

After you collect the IPS logs, analyze them to determine the mode for each IPS protection:

For each IPS protection:

  1. Look at the generated log and use the attached traffic capture to investigate it. A traffic capture can be enabled for each protection separately.
  2. If a SOC department exists, logs should be further analyzed by a SOC engineer to negate a true positive case.
  3. Low confidence and application control protections may generate many FP logs. To reduce the number of logs, you can disable protections for products that are not used in your network.

Protections that run in Prevent mode

You do not need to configure these protections. When you disable Troubleshooting mode, these protections automatically run in Prevent mode.

Protections that did not generate any events during the initial tuning remain in Protect mode. They maintain a high level of security and do not impact network performance.

Protections that generated events only for malicious traffic also remain in Protect mode. You can identify events as malicious based on:

Protections to run in Detect mode

We recommend that you configure protections that generate events for a wide range of legitimate traffic to run in Detect mode. In addition, report these protections to Check Point for additional analysis and classification.

Protections that require more analysis

Some protections generate events for both legitimate and malicious traffic. One possible reason is that legacy applications often use non-standard traffic and generate an IPS event. We recommend that you look for patterns in the events of the legitimate traffic and create IPS network exceptions. For example, there can be a small set of Source or Destination IP addresses, services, or ports.

If you can identify a pattern for the types of traffic:

  1. Create network exceptions for each type of traffic.
  2. Set the protection to Prevent.

If you cannot identify a pattern:

  1. Set the protection to Detect
  2. Report the protection to Check Point.

Configuring IPS to Protect the Network

When you complete the initial IPS tuning, disable Troubleshooting mode and configure the IPS Software Blade for regular operation. The profile is now configured to maximize performance and security for your network. It is necessary to continue to regularly run maintenance tuning for the IPS protections.

To configure IPS to protect the network:

  1. From the navigation tree in the IPS tab, click Profiles.

    The Profiles window opens.

  2. Double-click the profile.

    The General page of the Profile Properties window opens.

  3. From the navigation tree, click Troubleshooting.
  4. Click Detect-only.

    The window shows this message: Detect-Only for Troubleshooting is disabled.

  5. Click OK.
  6. Install the policy.

    The IPS Software Blade now protects the network.

24 October 2018 © 2018 Check Point Software Technologies Ltd. All rights reserved.