Getting Started with IPS
You can configure IPS for many levels of control over network traffic, but it is also designed to provide IPS protection right out of the box. When you enable the IPS Software Blade on a Security Gateway object, the gateway is automatically added to the list of Enforcing Gateways and it is assigned the profile. You also can assign the profile to the Security Gateway or to create a customized profile and assign it to the Security Gateway.
The next time you install a policy on the Security Gateway, the IPS profile is also installed on the Security Gateway and the Security Gateway immediately begins enforcing IPS protection on network traffic.
In addition to assigning your Security Gateway an IPS profile, you should also review the Recommendations for Initial Deployment.
Choosing the Level of Protection
Check Point IPS is a system that can give you instant protection based on pre-defined profiles, or it can be customized and controlled on a very detailed level.
To learn more about profiles, see IPS Profiles.
Basic IPS Protection
IPS provides three pre-defined profiles that can be used to immediately enforce IPS protection in your environment:
- Default_Protection - provides excellent performance with a sufficient level of protection using only IPS Software Blade protections.
- Recommended_Protection - provides the best security with a sufficient level of performance using only IPS Software Blade protections.
Application Control protections are not activated by default in any of the pre-defined profiles.
Default Protection
The Default Protection profile is defined with these parameters:
- IPS Mode: Prevent
- IPS Policy: All Signature protections with Very Low Performance Impact are activated
- Updates Policy: Protections downloaded using Online Updates are set to Prevent.
Recommended Protection
The Recommended Protection profile is defined with these parameters:
- IPS Mode: Prevent
- IPS Policy: All Signature and Protocol Anomaly protections with Low Severity and Medium or higher Confidence-level are activated, excluding protections with Critical Performance Impact.
- Updates Policy: Protections downloaded using Online Updates are set to Detect.
Advanced IPS Protection
For organizations particularly focused on network security, IPS allows you to customize profiles that will meet the needs of your organization.
Ideally, you might want to set all IPS protections to Prevent in order to protect against all potential threats. However, to allow your gateway processes to focus on handling the most important traffic and to report on only the most concerning threats, you will need to determine the most effective way to apply the IPS protections.
By making a few policy decisions, you can create an IPS Policy which activates only the protections that you need and prevents only the attacks that most threaten your network.
To apply protections based on an IPS Policy, create a new profile and select in the page.
Changing the Assigned Profile
To assign an IPS profile:
- Select IPS > Enforcing Gateway.
This page lists all gateways with the IPS Software Blade enabled.
- Select a gateway and click Edit.
- In Assign IPS Profile, select the profile that you want to assign to this gateway.
The gateway will begin enforcing the protections according to the assigned profile after you install the policy.
Recommendations for Initial Deployment
We recommend that you use certain Gateway and profile settings for your initial deployment of IPS.
Once you are satisfied with the protection and performance of IPS, you can change the system's settings to focus on the attacks that concern you the most.
Troubleshooting
It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic. During this time, you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic. Once you have used this information to customize the IPS protections to suit your needs, disable Detect-Only for Troubleshooting to allow IPS protections set to Prevent to block identified traffic on the gateways.
Protect Internal Hosts Only
See: Gateway Protection Scope.
Bypass Under Load
To help customers easily integrate the use of IPS into their environment, activating the Bypass Under Load feature will disengage IPS activities during times of heavy network usage. IPS will allow traffic to pass smoothly through the gateway without inspection, and IPS will resume inspection once the high traffic levels have been reduced.
Because this feature creates a situation where IPS protections are temporarily disabled, it is recommended only to apply it during the initial deployment of IPS. After optimizing the protections and performance of your gateway, it is recommended to disable Bypass Under Load to ensure that your network is always protected against attack.
For information, see Bypass Under Load.
Installing the Policy
After preparing the IPS profiles according to your needs, apply the IPS changes to your gateway by installing the policy.
To install the policy:
- Select > .
- Select > .
- Click .
- Select the gateways on which the policy is to be installed, and click .
Your environment is now protected by Check Point IPS.
Periodically review IPS events in SmartView Tracker to see the traffic that IPS identifies as a result of your IPS configuration.
|