Managing Gateways

In This Chapter

IPS protections are enforced by Security Gateways with the IPS Software Blade enabled and by IPS-1 Sensors. The Enforcing Gateways page shows the list of all gateways enforcing IPS protections and the profile that is assigned to each gateway.

On the Enforcing Gateways page, you can select whether the IPS profiles will manage only IPS Software Blade protections or if they will also manage IPS-1 Sensor protections. If you choose to manage IPS-1 Sensor protections, you can add IPS-1 Sensors to your list of enforcing gateways and assign profiles to the sensors.

If you choose to manage IPS-1 Sensors as well, the IPS-1_Recommended_Protection profile will be available in the list of Profiles. The Recommended_IPS-1_Protection profile contains recommended settings for both IPS Software Blade protections and IPS-1 Sensor protections. It can also be imported at a later time from the command line with the ips_export_import command.

Important - The Remove button will DELETE the selected gateway object.

To remove a Security Gateway from Enforcing Gateways, disable the Software Blade on the gateway.
To remove an IPS-1 Sensor from Enforcing Gateways, delete the IPS-1 Sensor object.

Adding IPS Security Gateways - SmartDashboard

When you enable the IPS Software Blade on a Security Gateway object, the gateway is automatically added to the list of Enforcing Gateways and it is assigned the Default Protection profile.

To create a new Security Gateway object with IPS enforcement:

In SmartDashboard > IPS tab, select Enforcing Gateways.
Click Add and choose Security Gateway.
Select IPS Enter the properties of the Security Gateway, including selecting IPS.
- In Classic mode, select IPS in the Network Security tab.
- In Simple mode, select a Check Point products option that includes IPS.

The Firewall Software Blade must be enabled to enable the IPS Software Blade.

Adding IPS-1 Sensors

When you add a new IPS-1 Sensor object, the sensor is automatically added to the list of Enforcing Gateways and it is assigned the IPS-1 Recommended Protection profile. By default, the sensor is configured as IPS-Inline with fail-open bypass mode.

When adding an IPS-1 Sensor, you can also define these settings which are unique to IPS-1 Sensors:

Working Mode

IDS - Passive: The IPS-1 Sensor is not placed in the path of traffic. Packets are processed for attack detection without any impact on the flow of network traffic.
IPS - Inline, Detect only: Inline intrusion detection. Packets are forwarded through to the network before processing for attack detection. In fault conditions, all packets are allowed. Detect only mode is also useful for checking whether an IPS-mode Sensor is responsible for dropped traffic.
IPS - Inline, fail-open: Inline intrusion prevention. Packets are processed for attack detection and are forwarded to the network only in accordance with protection settings. In fault conditions, all packets are allowed.
IPS - Inline, fail-closed: Inline intrusion prevention. Packets are processed for attack detection and are forwarded to the network only in accordance with protection settings. In fault conditions, all packets are dropped.

Warning - Changing the Working Mode may stop the flow of network traffic. Make sure that your network topology is correct for the IPS-1 Sensor Working Mode that you choose.

Topology

By default, the IPS-1 Sensor inspects all traffic that passes through its interfaces. We recommend that you manually define the protected networks in the IPS-1 Sensor's Topology page. The Topology options are:

All IPs lets the IPS-1 Sensor protections react to all traffic with the highest level of inspection. Most organizations will choose not to use this setting because it requires a high level of inspection of traffic even of traffic that does not impact the organization's security.
Manually defined lets you specify the group of hosts or networks that the IPS-1 Sensor protects. This reduces the load on the sensor by focusing the sensor's resources on traffic that relates to internal networks.
None does not specify a group of hosts or networks for protection. When no topology is configured, the IPS-1 Sensor inspects all traffic with a lower level of intensity. The IPS-1 Sensor will inspect traffic faster but without the high level of inspection provided by the All IPs and Manually defined settings.

Latency Threshold

The Latency Threshold suspends IPS inspection when the average latency of traffic passing through the sensor exceeds a specified threshold. The specified latency level will be treated as a Fail State. Then, traffic will be passed or dropped based on the Sensor bypass mode of the IPS-1 Sensor's General Properties. By default, this setting is off, but you can enable it from the IPS-1 Sensor's IPS page.

To create an IPS-1 Sensor object:

If there is a Security Gateway between the management server and the IPS-1 Sensor, make sure Accept IPS-1 management connections is selected in the Global Properties > Firewall page.
In the IPS tab, select Enforcing Gateways.
Click Add and choose IPS-1 Sensor.
Enter the properties of the IPS-1 Sensor.
If there is a Security Gateway between the management server and the IPS-1 Sensor, install the policy on the gateway.
Open the IPS-1 Sensor object and click Communication to initiate SIC.
Once SIC is initialized, click Close.
Click OK.

The IPS-1 Sensor object is created and you can now include the IPS-1 Sensor in policy installation.

Note - If policy installation fails when the IPS-1 Sensor is set to an IPS-Inline Working Mode, log into the sensor's CLI and check that the interfaces are set to work as inline pairs. Refer to the R71 IPS-1 Sensor Administration Guide.

Managing IPS gateways - CLI

You can use these CLI commands to manage IPS on your ~sgws. You must be in expert mode to use the commands.

To see all available commands:

On the gateway, go to the expert mode.
Type ips and press Enter.

Command	Description

ips on\|off [-n]	Enable or disable IPS on the Security Gateway.
ips on\|off [-n]	-n	Empty templates table (applies fwaccel off; fwaccel on immediately). Otherwise, this command takes effect in a few minutes.
ips stat	Show the IPS status of the Security Gateway.
ips bypass stat	Show the Bypass Under Load status.
ips bypass on\|off	Enable or disable Bypass Under Load.
ips bypass set cpu\|mem low\|high <threshold>	Set the Bypass Under Load threshold.
ips bypass set cpu\|mem low\|high <threshold>	threshold	Valid range is 1 to 99. Unit is percent.
ips debug [-e filter] -o <output_file>	Create an IPS debug file. Filter valid values are the same as for fw ctl debug. Consult with Check Point Technical Support.
ips refreshcap	Refresh the sample capture repository.
ips stats [<ip_address> -m] [-g <seconds>] [<ip_address> <seconds>]	Print IPS and Pattern Matcher performance statistics. Without arguments, runs on current Security Gateway for 20 seconds. This is a resource intensive command and should not be run on a system experiencing a high load.
	-m	Analyzes input statistics file from Security Gateway. Give IP address of the Security Gateway. Run from the management server.
	-g	Collect statistics for current Security Gateway.
	seconds	period in which statistics are gathered
ips pmstats reset	Reset pattern matcher statistics.
ips pmstats -o <output_file>	Print pattern matcher statistics.

Top of Page

Download Complete PDF

Send Feedback