Managing Gateways
IPS protections are enforced by Security Gateways with the IPS Software Blade enabled and by IPS-1 Sensors. The page shows the list of all gateways enforcing IPS protections and the profile that is assigned to each gateway.
On the Enforcing Gateways page, you can select whether the IPS profiles will manage only IPS Software Blade protections or if they will also manage IPS-1 Sensor protections. If you choose to manage IPS-1 Sensor protections, you can add IPS-1 Sensors to your list of enforcing gateways and assign profiles to the sensors.
If you choose to manage IPS-1 Sensors as well, the IPS-1_Recommended_Protection profile will be available in the list of Profiles. The Recommended_IPS-1_Protection profile contains recommended settings for both IPS Software Blade protections and IPS-1 Sensor protections. It can also be imported at a later time from the command line with the ips_export_import command.
|
Important - The Remove button will DELETE the selected gateway object.
- To remove a Security Gateway from Enforcing Gateways, disable the Software Blade on the gateway.
- To remove an IPS-1 Sensor from Enforcing Gateways, delete the IPS-1 Sensor object.
|
Adding IPS Security Gateways - SmartDashboard
When you enable the IPS Software Blade on a Security Gateway object, the gateway is automatically added to the list of Enforcing Gateways and it is assigned the profile.
To create a new Security Gateway object with IPS enforcement:
- In > IPS tab, select .
- Click and choose .
- Select IPS Enter the properties of the Security Gateway, including selecting IPS.
- In mode, select in the tab.
- In mode, select a option that includes IPS.
The Firewall Software Blade must be enabled to enable the IPS Software Blade.
Adding IPS-1 Sensors
When you add a new IPS-1 Sensor object, the sensor is automatically added to the list of Enforcing Gateways and it is assigned the profile. By default, the sensor is configured as with bypass mode.
When adding an IPS-1 Sensor, you can also define these settings which are unique to IPS-1 Sensors:
Working Mode
- IDS - Passive: The IPS-1 Sensor is not placed in the path of traffic. Packets are processed for attack detection without any impact on the flow of network traffic.
- IPS - Inline, Detect only: Inline intrusion detection. Packets are forwarded through to the network before processing for attack detection. In fault conditions, all packets are allowed. Detect only mode is also useful for checking whether an IPS-mode Sensor is responsible for dropped traffic.
- IPS - Inline, fail-open: Inline intrusion prevention. Packets are processed for attack detection and are forwarded to the network only in accordance with protection settings. In fault conditions, all packets are allowed.
- IPS - Inline, fail-closed: Inline intrusion prevention. Packets are processed for attack detection and are forwarded to the network only in accordance with protection settings. In fault conditions, all packets are dropped.
|
Warning - Changing the Working Mode may stop the flow of network traffic. Make sure that your network topology is correct for the IPS-1 Sensor Working Mode that you choose.
|
Topology
By default, the IPS-1 Sensor inspects all traffic that passes through its interfaces. We recommend that you manually define the protected networks in the IPS-1 Sensor's Topology page. The Topology options are:
- lets the IPS-1 Sensor protections react to all traffic with the highest level of inspection. Most organizations will choose not to use this setting because it requires a high level of inspection of traffic even of traffic that does not impact the organization's security.
- lets you specify the group of hosts or networks that the IPS-1 Sensor protects. This reduces the load on the sensor by focusing the sensor's resources on traffic that relates to internal networks.
- does not specify a group of hosts or networks for protection. When no topology is configured, the IPS-1 Sensor inspects all traffic with a lower level of intensity. The IPS-1 Sensor will inspect traffic faster but without the high level of inspection provided by the and settings.
Latency Threshold
The Latency Threshold suspends IPS inspection when the average latency of traffic passing through the sensor exceeds a specified threshold. The specified latency level will be treated as a Fail State. Then, traffic will be passed or dropped based on the Sensor bypass mode of the IPS-1 Sensor's General Properties. By default, this setting is off, but you can enable it from the IPS-1 Sensor's IPS page.
To create an IPS-1 Sensor object:
- If there is a Security Gateway between the management server and the IPS-1 Sensor, make sure is selected in the > page.
- In the IPS tab, select .
- Click and choose .
- Enter the properties of the IPS-1 Sensor.
- If there is a Security Gateway between the management server and the IPS-1 Sensor, install the policy on the gateway.
- Open the IPS-1 Sensor object and click to initiate SIC.
- Once is initialized, click .
- Click .
The IPS-1 Sensor object is created and you can now include the IPS-1 Sensor in policy installation.
|
Note - If policy installation fails when the IPS-1 Sensor is set to an IPS-Inline Working Mode, log into the sensor's CLI and check that the interfaces are set to work as inline pairs. Refer to the R71 IPS-1 Sensor Administration Guide.
|
Managing IPS gateways - CLI
You can use these CLI commands to manage IPS on your ~sgws. You must be in expert mode to use the commands.
To see all available commands:
- On the gateway, go to the expert mode.
- Type and press .
|
|
|
Command
|
Description
|
ips on|off [-n]
|
Enable or disable IPS on the Security Gateway.
|
-n
|
Empty templates table (applies immediately). Otherwise, this command takes effect in a few minutes.
|
ips stat
|
Show the IPS status of the Security Gateway.
|
ips bypass stat
|
Show the Bypass Under Load status.
|
ips bypass on|off
|
Enable or disable Bypass Under Load.
|
ips bypass set cpu|mem low|high <threshold>
|
Set the Bypass Under Load threshold.
|
threshold
|
Valid range is 1 to 99. Unit is percent.
|
ips debug [-e filter] -o <output_file>
|
Create an IPS debug file. Filter valid values are the same as for . Consult with Check Point Technical Support.
|
ips refreshcap
|
Refresh the sample capture repository.
|
ips stats [<ip_address> -m] [-g <seconds>] [<ip_address> <seconds>]
|
Print IPS and Pattern Matcher performance statistics. Without arguments, runs on current Security Gateway for 20 seconds. This is a resource intensive command and should not be run on a system experiencing a high load.
|
-m
|
Analyzes input statistics file from Security Gateway. Give IP address of the Security Gateway. Run from the management server.
|
-g
|
Collect statistics for current Security Gateway.
|
seconds
|
period in which statistics are gathered
|
ips pmstats reset
|
Reset pattern matcher statistics.
|
ips pmstats -o <output_file>
|
Print pattern matcher statistics.
|
|
|