Managing Profiles and Protections
IPS Profiles
IPS profiles enable you to configure sets of protections for groups of gateways. Without profiles you would have to configure IPS in a global policy for all your devices and network behavior, or configure each device separately. With profiles, you have both customization and efficiency.
Up to 20 profiles may be created. IPS profiles are available for all Check Point NGX gateways.
|
Note - For Connectra, IPS profiles are available for all NGX R66 gateways and above. Earlier versions of Connectra gateway do not receive an IPS profile from Security Management server. Every profile created takes 2 MB of RAM from the user console machine on both Windows and Motif.
|
Creating Profiles
When you create a profile, you create a new SmartDashboard object. Protections can be activated, deactivated or given specific settings to allow the profile to focus on identifying certain attacks. The profiles can then be applied to groups of devices that need to be protected against those certain attacks.
To create a profile:
- In the IPS tab, select Profiles.
- Click New and choose an option:
- Create New Profile: Opens empty Profile Properties window for new configuration.
- Clone Selected Profile: Creates copy of selected profile. Select the cloned profile and click Edit to make changes (including providing a new name) in the Profile Properties window.
- Configure the General properties.
- Profile Name: Mandatory, cannot contain spaces or symbols.
- Comment: Optional free text.
- Color: Optional color for SmartDashboard object mapping.
- IPS Mode: The default action that a protection will take when it is enabled.
- Prevent: Activated protections will block traffic matching the protection's definitions.
- Detect: Activated protections will track traffic matching the protection's definitions.
- Protections Activation: Protections can be enabled automatically or manually.
- Select IPS Policy > Updates Policy and select whether newly downloaded protections should be set by default to Prevent or Detect.
- Click OK to create the profile.
Activating Protections
Each profile is a set of activated protections and instructions for what IPS should do if traffic inspection matches an activated protection. The procedures in this section explain how to activate protections for a profile.
Automatically Activating Protections
IPS protections include many protections that can help manage the threats against your network. Care should be taken to understand the complexity of the IPS protections before manually modifying their settings.
To simplify the management of the IPS protections settings, a profile can be configured to automatically enable protections based on user defined criteria by selecting Activate according to IPS Policy in the Profile's General properties.
When the IPS Policy activates a protection, the protection will enforce the action set in the IPS Mode, either Detect or Prevent. In some instances a protection will be set to Detect if it meets the criteria to be set to Inactive but does not support the Inactive status
There are numerous protections available in IPS. It will take some time to become familiar with those that are relevant to your environment; some are easily configured for basic security without going too deeply into the details of the threat and the protection. Many protections can be safely activated automatically.
It is recommended that you allow IPS to activate protections according to the IPS policy in the beginning. Then you can manually modify the protection settings as needed according to your monitored traffic.
To automatically activate protections in a profile:
- In the Profiles page, double-click a profile, or click New to create a new profile.
- Select IPS Policy.
- Set automatic activation by type:
- Client Protections: activate protections specific to clients.
- Server Protections: activate protections specific to servers.
- Both: all protections will be activated, except for those that are:
- Excluded by the options selected here
- Application Controls or Engine Settings
- Defined as Performance Impact — Critical
- Set activation according to protection criteria. In the Protections to Deactivate area, select relevant criteria and then select the value that fits:
- Protections have severity: Activate protections only if their Severity level is higher than the value you select in the drop-down list.
For example: you can set protections with low severity to not be activated automatically (Do not activate protections with severity Low or below). You can always activate the protections that you want later, if analysis proves they are needed.
- Protections have confidence level: Activate protections only if their Confidence Level is higher than the selected value.
For example: Do not activate protections if with confidence-level Low or below. The higher the Confidence Level of a protection, the more confident Check Point is that recognized attacks are indeed attacks; lower Confidence Levels indicate that some legitimate traffic may be identified as an attack.
- Protections have performance impact: Activate protections only if their Performance Impact is lower than the selected value.
For example: Do not activate protections with performance impact High or higher. Some activated protections may cause issues with connectivity or performance. You can set protections to not be activated if they have a higher impact on gateway performance.
- Protocol Anomalies: Do not automatically activate Protocol Anomaly protections.
To exclude protection categories from the IPS Policy:
- In Profile Properties > IPS Policy, select Do not activate protections in following categories and click Configure.
The Non-Auto Activation window opens.
- Click Add.
The Select Category window opens.
- Expand the tree nodes and select the required categories from any level, that you do not want to be activated by the IPS Policy.
For example, if you selected to automatically activate Server Protections and then add Syslog to the categories in the Non-Auto Activation window, the Syslog protections (such as Apply Malicious Code Protector) will not be automatically activated in this profile.
- Click OK to close the Select Category window.
- Click OK to close the Non-Auto Activation window.
- Click OK to apply the Automatic Activation configuration and close the Profile Properties window.
Manually Activating Protections
You may need to activate protections that are not activated automatically. For example, you may have reason to suspect a specific threat against a gateway.
|
Note If you manually activate protections for a profile that has Detect-Only for Troubleshooting enabled, traffic will only be blocked once the Detect-Only for Troubleshooting has been disabled.
|
Activating Protections for All Profiles
To manually activate a protection in all profiles:
- In the Protections Browser, right-click on the protection that you want to activate and select the action that you want to apply to the protection.
Activating Protections for a Specific Profile
To manually activate a protection for a specific profile:
- Find the protection that you want to activate using the Protections Browser and click Edit.
- Select the profile for which you want to activate this protection and click Edit.
The protection can be activated for one profile and inactive for another; thus, it will be activated for some gateways and inactive for others.
If the protection is inactive and Action according to IPS Policy: Inactive is selected, this protection is inactive due to the IPS Policy for this profile. You can override this setting or change the IPS Policy criteria. For instructions on changing IPS Policy, see Automatically Activating Protections.
To override the settings for this protection, continue with this procedure.
- Select Override IPS Policy and select the action that you want to apply.
- Prevent: Activate IPS inspection for this protection and run active preventions on the gateways to which this profile is assigned.
- Detect: Activate IPS inspection for this protection, tracking related traffic and events.
- Inactive: Do not enforce this protection.
- If available, configure the Additional Settings that are relevant for its individual configurations and options.
Some common settings include:
Removing Activation Overrides
While configuring a profile, at any time you can manually set the activation of individual protections, overriding the automatic activation setting. If the result is not relevant, you can remove the overrides.
To remove overrides:
- In the IPS tab, select Profiles.
- Select a profile from the list and click Actions > Remove overrides.
A message appears:
Are you sure you want to reapply the profile's IPS Mode and Activation settings to the protections?
- To confirm, click Yes.
A message appears:
All protections have been reset to the profile's settings.
- Click OK.
Managing Profiles
Assigning Profiles to Gateways
To assign a profile to a gateway:
- In the IPS tab, select Enforcing Gateways.
- Select a gateway and click Edit.
The IPS page of the gateway properties opens.
- Select a profile from the Assign profile list.
- Click OK.
View Protected Gateways by Profile
To view a list of gateways that are protected by a specific profile:
- In the IPS tab, select Profiles
- Select a profile from the list and click Actions > Show Protected Gateways.
The Protected Gateways window appears with the list of gateways that are assigned to the selected profile.
Viewing Profile Modification Data
You can see data about modifications made to a selected profile.
To see modification data:
- In the IPS tab, select Profiles.
- Select a profile from the list and click Actions > Last Modified.
The Last Modification window opens.
- Last modified at: Date and time of last modification.
- From client: Name of client machine from which the profile was modified.
- By Administrator: Username of the administrator who did the modifications.
Importing and Exporting Profiles
IPS lets you import and export profiles using the ips_export_import command from the CLI. This command will let you copy profile configurations from one R71 management server to another R71 or R75 management server, or from one R75 management server to another R75 management server. This command is supported in both Security Management Server and Multi-Domain Security Management environments.
The exported profile is stored in a tar archive. The archive includes all protection settings but does not include:
- Network Exceptions
- Network object information that is specified in the protection settings
On a Multi-Domain Server, you must use one of these methods to set the environment in which the command will run:
- Run
mdsenv to set the environment (Multi-Domain Server or specific Domain Management Server) where the IPS profile is configured. - Use
-p <ip> to enter the IP address of the Multi-Domain Server or Domain Management Server where the IPS profile is configured.
To export an IPS profile:
- From the command line, run:
ips_export_import export <profile-name> [-o <export-file-name>] [-p <ip>]
|
You must enter the exact name of the profile that you want to export.
The archive will be named <profile-name>.tar and is saved to your present working directory. You can also use the -o <file-name> to give the archive a specific name.
To import an IPS profile:
- From the command line, run:
ips_export_import import <new-profile-name> -f <file-name> [-p <ip>]
|
You must enter a name for the profile and the location of the archive. You can either import an archive that is in your present working directory or enter the exact location of the archive that you want to import.
Deleting Profiles
You can easily delete a profile (except for the Default_Protection profile), but it should be done carefully, as it may affect gateways, other profiles, or SmartDashboard objects.
To delete a profile:
- In the IPS tab, select Profiles.
- Select the profile you want to delete and click Delete.
The message appears: Are you sure you want to delete object <profile_name>?
- Click Yes.
If the profile contains references to/from other objects, another message appears:
<profile_name> is used in another object. Are you sure you want to delete it?
- Click Where Used?
The Object References window opens.
For each object that references the profile, there is a value in the Is Removable? column. If this value is Yes for all objects, you can safely delete the profile. Otherwise, you should discover the relationship before deciding to delete this profile.
Troubleshooting Profiles
IPS includes the ability to temporarily stop protections set to Prevent from blocking traffic. This is useful when troubleshooting an issue with network traffic.
To enable Detect-Only for Troubleshooting:
- Select IPS > Profiles.
- Select a profile and click Edit.
The Profile Properties window appears.
- Select Troubleshooting.
- Click on the Detect-Only for Troubleshooting icon.
Once you have done this, all protections set to Prevent will allow traffic to pass, but will continue to track threats according to its Track configuration.
Customizing Profiles for IPS-1 Sensors
Protections enforced by the IPS-1 Sensor offer certain configuration options that differ from the options available for protections enforced by the IPS Software Blade. Some of these options are:
- Configuring the number of packets to capture when Capture Packets is enabled
- Automatically blocking, or quarantining, connections from a specific IP address for a set period of time once an attack from that address has been detected
- Dynamically changing the Confidence Level for a protection based on the type of traffic that passes through the IPS-1 Sensor
- Blocking an attack by dropping the connection without notifying the sender or by sending a Reject packet back to the sender to notify the sender that the traffic was not received
- Grouping recurring alert logs into Summary logs which indicate how frequently the alert has occurred without adding unnecessary log entries to the database
These are the IPS-1 Sensor settings that you can define in the IPS Profile:
Capture Packets
- Turn on capture packets for all protections automatically captures packets for all active protections that have this capability.
- Turn on capture packets according to protections settings relies on the protections' settings to determine when packet captures are saved.
- Number of packets to capture specifies the number of packets you will be able to look at for each time packets are captured.
Quarantine
- Quarantined IP addresses will be released after X seconds specifies how long all traffic from a particular IP address will be rejected once that IP address has been identified as a threat.
Dynamic Confidence Level
- Automatically deactivate protections when their dynamic Confidence-Level falls below the threshold allows IPS to dynamically change turn off protections when an internal IPS algorithm determines that IPS is not identifying the attack with sufficient accuracy. This option is only available when protections are activated according to the IPS Policy, and the IPS Policy is set to deactivate protections based on Confidence-Level.
Connection Refusal Method
- Drop blocks the connection without notifying the sender of the failure.
- Reject (TCP Reset) blocks the connections and sends the sender a Reject packet to indicate that the connection was not accepted.
Log Flood Suppression
Enable Log Suppression enables you to receive summary logs for frequently identified attacks. Specify settings for this feature using the Advanced button.
Protections Browser
The Protections Browser provides quick access to IPS protections and displays them with a summary of important information and usage indicators.
Customizing the Protections Browser View
The Protections page shows a table of the protections, with each column a different type of information.
|
|
|
Column
|
Description
|
See for details
|
Protection
|
Name of the protection
|
Category
|
Protocol category and bread-crumbs to find the protection in the category tree
|
Severity
|
Probable severity of a successful attack on your environment
|
Severity
|
Confidence Level
|
How confident IPS is that recognized attacks are actually undesirable traffic
|
Confidence Level
|
Performance Impact
|
How much this protection affects the Security Gateway's performance
|
Performance Impact
|
Industry Reference
|
International CVE or CVE candidate name for attack
|
Release Date
|
Date the protection was released by Check Point
|
Protection Type
|
Whether the protection is for servers, clients, or both
|
Type
|
Follow Up
|
Whether the protection is marked for Follow Up
|
Tracking Protections using Follow Up
|
Follow Up Comments
|
Text to comment on the protection
|
Products
|
Type of IPS enforcement:
- IPS Software Blade
- IPS-1 Sensor
|
|
<profile_name>
|
Activation setting of the protection in the profile
|
Protection Mode
|
To change which columns are visible:
- Click View > Customize.
The Customize window opens.
- Any column you do not want to appear, move to the Available fields list. any you do want to see, let them remain in the Visible fields list.
- Click OK.
Finding Protections
Use the Protections page for filtering the complete protections list. You can filter by protection name, CVE number, or by any information type that is displayed in the columns.
To filter by protection name:
- Leave the Search In box at the default All, or select Protection.
- Start to type the name in the Look for text box.
The displayed list filters as you type. Note that the results include not only the name of the specific protection, but also the category tree in which it is contained.
For example, to see ICMP protections, type icmp in Look for, and select Protection in Search In. The list shows protections that have ICMP in their name, and all protections in the Network Security > IP and ICMP category. If you hover over a listed protection, the category tree is shown as a tooltip.
Filtering Protections
You can filter the list of protections by any criteria that is displayed in the Customizing the Protections Browser View table.
To filter by any information:
- Select the information type from the search In drop-down menu.
By default, the search will return protections that have your search term in any field.
- In the Look for text box, type a value for the information.
For example, to see only protections who have a value of Severity: Critical, type critical in Look for and select Severity in In.
Sorting Protections
Filtering by information type has a draw-back: you have to know valid values for the information. In the beginning, you might find it more convenient to sort the list rather than filter it.
To sort the protections list by information:
- Click the column header of the information that you want.
For example, to see protections ordered by Severity, beginning with Critical, click the Severity column header.
Advanced Sorting
You can sort the list with multiple criteria: first sort by criteria A and then by criteria B.
For example, if you wanted to see protections that are marked for Follow Up, but you want to start with the most critical protections, you can sort by Follow Up and by Severity.
To sort by multiple values:
- Click View > Sort.
The Sort window opens.
- Choose the column headers by which you want to sort the list and then click OK.
Exporting Protections List
To enable administrators to analyze protections in alternative applications, you can export the Protections list as a comma-delimited file. The exported information includes all protections, with all table fields regardless of any applied sorting or filtering.
To export the Protections list:
- Click View > Export View.
- In the Save As dialog box, provide a filename and click Save.
Protection Parameters
Most protections have graded parameters, provided to help you decide which protections to activate for security and which can be safely deactivated, for connectivity and performance.
The protection parameters and their values for a specific protection appear at the top of the protection window.
Parameter
|
Indicates
|
Values
|
Type
|
Type of machine that can be affected/protected
|
Signature, Protocol Anomaly, Application Control, Engine Settings
|
Severity
|
How severely a successful attack would affect your environment
|
Low, Medium, High, Critical
|
Confidence Level
|
How well an attack can be correctly recognized
|
Low, Medium-Low, Medium, Medium-High, High
|
Performance Impact
|
How much this protection affects the gateway's performance
|
Low, Medium, High, Critical
|
Protection Type
|
Type of machine that can be affected/protected
|
Servers, Clients, Servers and Clients
|
Type
The Type is whether the protection is a Signature, Protocol Anomaly, Application Control, or Engine Setting.
Types
Type
|
Description
|
Usage Example
|
Signature
|
Prevent or detect threats by identifying an attempt to exploit a specific vulnerability
|
Microsoft Message Queuing contains a vulnerability that could allow an attacker to remotely execute code; you activate the applicable Microsoft Message Queuing protection to protect against such an attack.
|
Protocol Anomaly
|
Prevent or detect threats by identifying traffic that does not comply with protocol standards
|
An attacker can send HTTP packets with invalid headers in an attempt to gain access to server files; you activate the Non-Compliant HTTP protection to protect against such an attack.
|
Application Control
|
Enforce company requirements of application usage
|
Your organization decides that users should not use Peer to Peer applications at the office; you activate the Peer to Peer Application Control protections.
|
Engine Setting
|
Configure IPS engine settings
|
Configuring settings will influence other protections; be sure to read any notes or warnings that are provided.
|
IPS protections are divided by these types in the IPS tree under Protections > By Type.
For example, view all Application Controls supported by IPS by selecting Protections > By Type > Application Control.
Protection Mode
Each protection has a mode, which determines whether IPS inspects packets for this protection, and if so, what it does if the packet matches a threat symptom.
|
Inactive:
|
Packets are not inspected for this protection.
|
|
Active:
|
Packets are inspected and actions taken (depending on Detect or Prevent).
|
|
Prevent:
|
Packets are inspected and threatening packets or connections are dropped.
|
|
Detect:
|
Packets are inspected and threatening packets or events are tracked.
|
The next sections, that explain the protections in detail, assume that the protection is Activated, to explain the configuration options that are available only when the protection is Active.
If the IPS policy settings cause a protection to be Inactive, and you want to activate it, select Override with the action: and choose Prevent or Detect from the drop-down list.
Some protections may be Partially active: the protection settings configured to activate the protection for specific protocols or situations, leaving it inactive for others. For example, in DNS - General Settings, you can select to activate DNS protections only for TCP or only for UDP, so the protections in the DNS category are Partially active. If you select to activate DNS protections for both TCP and UDP, the protections will be Active.
The mode of a protection is per-profile. See Managing Profiles.
Severity
You should activate protections of Critical and High Severity, unless you are sure that you do not want this particular protection activated.
For example, if a protection has a rating of Severity: High, and Performance Impact: Critical, you might want to determine whether the protection is necessary for your specific environment before activating the protection.
Confidence Level
Some attack types are more subtle than others, and legitimate traffic may sometimes be mistakenly recognized as a threat. The confidence level value indicates how well this particular protection can correctly recognize the specific attack.
The Confidence parameter can help you troubleshoot connectivity issues with the firewall. If legitimate traffic is blocked by a protection, and the protection has a Confidence level of Low, you have a good indication that more specific configurations might be needed on this protection.
Performance Impact
Some protections by necessity use more resources or apply to common types of traffic, causing an adverse effect on the performance of the gateways on which they are activated.
|
Note -The Performance Impact of protections is rated based on how they will affect gateways of this version running SecurePlatform and Windows operating systems. The Performance Impact on other gateways may vary from the rating listed on the protection.
|
For example, you might want to ensure that protections that have a Critical or High Performance Impact are not activated unless they have a Critical or High Severity, or you know the protection is specifically needed.
If your gateways experience heavy traffic load, be careful about activating High/Critical Performance Impact protections on profiles that affect a large number of mixed (client and server) machines.
Using the value of this parameter to decide upon an optimal protection profile will prevent overloading your gateway's resources.
Protection Type
Signature and Protocol Anomaly protections are designed to protect against threats that target either Servers or Clients. You can use this information to define a profile that will only focus on the threats that can exploit the network resources behind your enforcing gateway, thereby reducing the performance impact on the gateway and the amount of logs which the gateway will produce.
For example, if you have an enforcing gateway which protects servers in a DMZ, you can apply a profile that deactivates the Client protections because the client vulnerabilities are most likely not present on the protected resources.
Protected Servers
Certain protections are designed to inspect traffic based on the type of server that the traffic is coming to or from. To allow these protections to identify the traffic that should be inspected, IPS requires you to identify the DNS, Web and Mail servers you want to protect.
DNS Servers
The DNS protocol protections prevent illegal DNS packets over TCP or UDP, prevents users from accessing blocked domain addresses, protect from DNS Cache Poisoning, and block DNS traffic to non-DNS destinations.
These protections will only apply to servers that are defined as DNS Servers in .
Defining DNS Servers
Configure a list of DNS servers in your environment to ensure that IPS enforces the DNS protections on the relevant devices.
To define a host as a DNS server:
- Make sure the host is defined as a SmartDashboard object.
- In the DNS Servers View, click Add to add another host to the list of DNS servers.
- Select the host that you want to add to the DNS server list.
- Click Edit to view or change the properties of the host before defining it as a DNS server.
- Click OK to add the host to the list of DNS servers.
Editing DNS Servers
After a host is defined as a DNS server (added to the DNS Servers View list), it gains the DNS Server properties in its Host Node properties.
To edit a DNS server:
- Select the host in the DNS Servers View list and click Edit.
- In the left-hand category tree of the Host Node window, click Protections under the DNS Server category.
The Protections page displays a note that although you can select specific security settings for this server, the enforcement of this protection depends on the IPS profile to which this server is assigned. See "IPS Profiles" for more information on profiles.
Web Servers
The Web protocol protections prevent attacks that use web protocols and vulnerabilities to damage your network or use your network resources to attack other networks. Web servers require special protection from these attacks.
You can manage the use of these protections on Web Server from .
Defining Web Servers
Configure a list of Web servers in your environment to ensure that IPS enforces the Web Server protections on the relevant devices.
To define a host as a Web server:
- Make sure the host is defined as a SmartDashboard object.
- In the IPS tab, open Protections > By Protocol > Web Intelligence > Web Servers View.
- Click Add to add another host to the list of Web servers.
- Select the host that you want to add to the Web server list.
- Click Edit to view or change the properties of the host before defining it as a Web server.
- Click OK to add the host to the list of Web servers.
Editing Web Servers
After a host is defined as a Web server (added to the Web Servers View list), it gains the Web Server properties in its Host Node properties.
To edit a Web server:
- Select the host in the Web Servers View list and click Edit.
- In the left-hand category tree of the Host Node window, click Protections under the Web Server category.
The Protections page displays a note that although you can select specific settings for this server, the enforcement of this protection depends on the IPS profile to which this server is assigned. See IPS Profiles for more information on profiles.
Mail Servers
The Mail protocol protections prevent improper POP3, IMAP and SMTP traffic from damaging your network.
These protections will only apply to servers that are defined as Mail Servers in .
Defining Mail Servers
Configure a list of Mail servers in your environment to ensure that IPS enforces the Mail protections on those devices.
To define a host as a Mail server:
- Make sure the host is defined as a SmartDashboard object.
- In the IPS tab, open Application Intelligence > Mail > Mail Servers View.
- Click Add to add another host to the list of Mail servers.
- Select the host that you want to add to the Mail server list.
- Click OK to add the host to the list of Mail servers.
Editing Mail Servers
After a host is defined as a Mail server (added to the Mail Servers View list), the Mail Server properties page is added to the object's Host Node properties.
To edit a Mail server:
- Select the host in the Mail Servers View list and click Edit.
- Click Protections under the Mail Server category.
The Protections page displays a note that, although you can select specific security settings for this server, the enforcement of this protection depends on the IPS profile to which this server is assigned.
|