Extending the IPS Configuration

In This Section: Cloning the Profile Configuring the Profile Configuring Inspection Settings Protections Email Inspection Settings Optimizing Web Security Protections Excluding Protections Separate Profiles

Cloning the Profile

Make a copy of the Optimized Profile before you start the initial IPS tuning. For a Multi-Domain Server deployment, we recommend that you create a separate IPS policy and perform these steps for each segment.

To clone the Optimized Profile:

1. Navigate to Security policies tab on the left panel, and then click Threat Prevention Policy.
2. Right-click the Optimized Profile and edit.
3. Click OK.

   A message appears and asks if you want to clone the profile.

4. Enter a new name for the cloned profile and click OK.

Configuring the Profile

Configure the setting of the profile to help the initial analysis of the IPS inspection with staging mode. The default action for the protections is Prevent, but staging mode protections run in Detect mode.

Configure new protections that are added to the profile to run in Prevent mode (during staging, these protections are set to Detect).

To configure the Profile:

1. Navigate to the Security policies tab on the left panel and click Threat Prevention Policy.
2. Right-click the profile and select the cloned profile you created.
3. Right-click the cloned profile and edit.
4. For IPS Activation Mode, select Prevent.
5. From the navigation tree, click IPS > Updates.

   The newly downloaded protections are set to Active – According to profile settings.

6. Set activation as staging mode (Detect).
7. Click OK.

Configuring Inspection Settings Protections

Some Firewall Inspection Settings can be configured to help protect the network. For ease of use, we included their configuration in this document.

Email Inspection Settings

Activate protections for the protocols that your environment uses for emails and add customized security to the mail servers.

Setting POP3/IMAP Scope

By default, when you configure the POP3/IMAP Security setting in Security policies > Inspection settings > POP3/IMAP Security, they apply to all hosts that are defined as mail servers according to the Action settings of each IPS profile. You can also limit the scope of this protection to only the specified mail servers.

To specify which hosts get the POP3/IMAP protection settings:

1. Navigate to Security policies > Inspection settings.
2. In the search field, enter "POP3/IMAP Security."
3. In the search results that show, double-click POP3/IMAP Security.
4. Select the profile and click Edit.
5. From the navigation tree, click Advanced.
6. In the Protection Scope area, click Apply to selected mail servers.
7. Click View.

   The Select Servers window opens and all mail servers are selected by default.

8. Change the selection of servers on which POP3 and IMAP protections should not be enforced:
   • To remove servers from the list – Clear the servers.
   • To add servers to this list – Click Add, select the servers, and click OK.
   • To edit server settings – Select a server, click Edit, edit settings in the Host Node configuration window that opens and click OK.
9. Click OK.

The POP3/IMAP Security inspection settings have a list of commands that IPS recognizes and inspects. The definitions of the POP3 commands apply to all IPS profiles. In the Protections Details – POP3/IMAP Security configuration window, you can edit the list of POP3 commands that apply to all profiles or edit the list of POP3 commands that apply to specific profiles.

To edit the list of POP3 commands that applies to all profiles:

1. In the Protection Details – POP3/IMAP Security configuration window, click Edit for the POP3 Commands Definitions.
2. Edit the list as necessary:
   • To add a new command – Click Add and enter the new command.
   • To change an existing command – Select the command and click Edit.
   • To delete a command – Select the command, click Remove and in the window that opens, click Yes to confirm.
3. Click OK.

To block or allow a POP3 command for a profile:

1. In the Protection Details – POP3/IMAP Security configuration window, select the profile whose settings you want to edit.
2. Click Edit.
3. In the list of Known POP3 commands, clear any command that you do not want blocked.
4. When you finish editing the POP3/IMAP Security settings, click OK to save them and exit the Protection Details – POP3/IMAP Security configuration window.

Optimizing Web Security Protections

You can manage Web Intelligence to configure the Web server settings to maximize security and reduce the Security Gateway performance or the opposite.

Improving Connectivity by Setting Scope

Some inspection settings that are too severe can have a negative impact on connectivity to and from valid Web servers.

• The HTTP Format sizes protection restricts URL lengths, header lengths or the number of headers. This is good practice because these elements can be used to perform a Denial of Service attack on a Web server.
• The ASCII Only Request protection can block connectivity to Web pages that have non-ASCII characters in URLs. This is good practice because non-ASCII headers or form fields open vulnerabilities to certain attacks, such as Code injection.
• The HTTP Methods protection can block certain HTTP methods, known to be unsafe, because they can be used to exploit vulnerabilities on a Web server.
• SQL Injection: This protection runs a scan on traffic to a user-defined list of specified web servers. The protection is active only when the network objects for these servers are created correctly. Do not apply the protections for SQL injection to all HTTP traffic or unnecessary false-positives will disrupt network traffic.
• General HTTP/CIFS Worm Catcher and Header Rejection: These protections let you add and edit regular expressions so that the Firewall can block the specified HTTP requests. Check Point advises customers to add a pattern to these protections as an immediate pre-emptive action against a new threat.

Although applying these restrictions (activating these protections) is in general good practice, they may potentially block valid sites or important applications. Applying these protections to specific Web servers can solve the connectivity problems and may enhance CPU performance. This exclusion of a Web server from a particular protection is global to all profiles.

To configure Web Protection scope:

1. Navigate to Security policies > Inspection settings to see the protections area.
2. To apply the protection only to a defined set of Web servers, select Apply to selected web servers.
3. Click Customize.
4. To exclude a Web server from the protection, clear the server checkbox.
5. To add a gateway object to the list of Web servers, click Add. From the Set Hosts as Web Servers window, select the hosts that you want and click OK.
6. To edit a Web server, select the Web server in the list and click Edit.

   The Check Point Host window opens, displaying the Web Server category, which is added to a host that is defined as a Web server.

You can configure connectivity-security balance for each type of Web Intelligence protection in the protection’s window, but enforcement of these configurations always depends on whether they are activated by the Web server’s IPS profile.

Excluding Protections

The IPS profile may include protections that are not necessary for your network. You can exclude these IPS protections and improve network performance. For example, if an organization does not use VoIP services, exclude the IPS protection for VoIP traffic.

Exclude Protections by Tags

Each IPS protection is classified using tags such as:

• Type
• Vendor
• Product
• Threat year
• Protection type
• Vulnerability effect
• File type
• Protection protocol

You can exclude a group of protections using the relevant tags. You can do that either as part of the profile definition or directly from the IPS Protections view.

To exclude protection by tag using IPS Protections view:

1. On the left panel, navigate to Security policies and click Threat Prevention Policy.
2. Click IPS Protections.
3. From the filters on the right, select the tags whose protections you want to exclude.
4. Select the protections on the left and deactivate the protections.
5. Install the policy.

To exclude protection by tag using Threat Prevention profile definitions:

1. Extend the IPS TAB.
2. Select Additional Activation.
3. Select the tags whose protections you want to activate.
4. Select the tags whose protections you want to deactivate.
5. Install the policy.

Separate Profiles

The initial performance tuning focuses on a single IPS profile that is optimized for many situations. However, we recommend you create a different policy per network segment and gateway according to the protected assets and assign different profiles to each rule in the policy.

Examples of separate profiles:

• Gateways on the perimeter frequently use a different profile than gateways that protect data centers
• Different network segments protect different types of protocols, client/server, applications etc.