Initial IPS Configuration Process

In This Section: Initial Installation Updating Protections Collecting and Analyzing the Initial IPS Events Protections that Require More Analysis Scheduling IPS Updates

Initial Installation

The Check Point IPS Software Blade uses thousands of protections to keep your network safe. When you set up IPS for the first time, it is impossible to analyze each protection.

The Optimized Profile gives excellent security with good performance impact. This profile enables all protections that:

• Protect against relevant and important threats in commonly used products.
• Detect the attack in a reliable way.
• Have a moderate performance impact.

We recommend using the Optimized profile.

Updating Protections

When enabling IPS for the first time, the most recent IPS protections will be loaded. We recommend that you use a manual update the first time you update IPS and then automate the process.

To manually update the IPS protections:

1. In SmartConsole, click Security Policies > Threat Prevention.
2. In the Threat Tools section, click Updates.
3. In the IPS section, click Update Now.
4. Install the Threat Prevention policy.

Collecting and Analyzing the Initial IPS Events

We highly recommend that you use SmartEvent reports for a clear view of the protections that generate logs for ease of profile tuning. Please review the Check Point R80.10 Logging and Monitoring Administration Guide.

After the first IPS update, let it run for at least a week.

When IPS has generated logs, review the logs and use this guide to set the protection’s mode to one of these:

• Prevent mode – Blocks the traffic and generates a log.
• Detect mode – Allows the traffic and generates a log.

Protections with high confidence can be set to Prevent as these protections were closely monitored and analyzed by Check Point.

Protections that generated events only for malicious traffic should be set to Prevent.

Use these indicators to identify events as malicious:

• Country and reputation of the source IP address (for example, use ipvoid.com).
• URLs
• Packet capture analysis

Protections that did not generate any events during the initial tuning can be set to Prevent mode.

Protections that Require More Analysis

Some protections generate events for both legitimate and malicious traffic. One possible reason is that legacy applications often use non-standard traffic and generate IPS events. We recommend that you look for patterns in the events of the legitimate traffic and create IPS network exceptions. For example, there can be a small set of Source or Destination IP addresses, services or ports.

If you can identify a pattern for the types of traffic:

1. Create network exceptions for each type of traffic.
2. Set the protection to Prevent.

If you cannot identify a pattern:

1. Set the protection to Detect.
2. Report the protection to the Check Point Support Center http://supportcenter.checkpoint.com.

Scheduling IPS Updates

After the initial IPS update, configure IPS to update automatically and on a regular basis:

To configure IPS scheduled updates:

1. In SmartConsole, go to the Security Policies page and select Threat Prevention.
2. In Threat Prevention Policy > Threat Tools, click Updates.
3. In the section for the applicable Software Blade, click Schedule Update.

   The Scheduled Update window opens.

4. Make sure Enable IPS scheduled update is selected.
5. Click Configure.
6. In the window that opens, set the Update at time and the frequency to best fit your business:
   • Daily
   • Every day
7. Click OK, and then click OK again.
8. Install the Threat Prevention policy.