Managing Profiles and Protections

In This Section:

IPS Profiles

IPS profiles enable you to configure sets of protections for groups of gateways. Without profiles you would have to configure IPS in a global policy for all your devices and network behavior, or configure each device separately. With profiles, you have both customization and efficiency.

Up to 20 profiles may be created. IPS profiles are available for all Check Point NGX gateways.

Note - For Mobile Access, IPS profiles are available for all NGX R66 gateways and above. Earlier versions of Mobile Access gateways (Connectra) do not receive an IPS profile from the Security Management Server. Every profile created takes 2 MB of RAM from the user console machine on both Windows and Motif.

Creating Profiles

When you create a profile, you create a new SmartDashboard. Protections can be activated, deactivated or given specific settings to allow the profile to focus on identifying certain attacks. The profiles can then be applied to groups of devices that need to be protected against those certain attacks.

To create a profile:

In the IPS tab, select Profiles.
Click New and choose an option:
- Create New Profile: Opens empty Profile Properties window for new configuration.
- Clone Selected Profile: Creates copy of selected profile. Select the cloned profile and click Edit to make changes (including providing a new name) in the Profile Properties window.
Configure the General properties.
- Profile Name: Mandatory, cannot contain spaces or symbols.
- Comment: Optional free text.
- Color: Optional color for SmartDashboard object mapping.
- IPS Mode: The default action that a protection will take when it is enabled.
  - Prevent: Activated protections will block traffic matching the protection's definitions.
  - Detect: Activated protections will track traffic matching the protection's definitions.
- Protections Activation: Protections can be enabled automatically or manually.
  - Activate according to IPS Policy: Let IPS activate protections automatically according to the IPS Policy criteria.
  - Manually activate protections: Do not let IPS automatically activate protections; activate them as needed.
Select IPS Policy > Updates Policy and select whether newly downloaded protections should be set by default to Prevent or Detect.
Click OK to create the profile.

Activating Protections

Each profile is a set of activated protections and instructions for what IPS should do if traffic inspection matches an activated protection. The procedures in this section explain how to activate protections for a profile.

Automatically Activating Protections

IPS protections include many protections that can help manage the threats against your network. Care should be taken to understand the complexity of the IPS protections before manually modifying their settings.

To simplify the management of the IPS protections settings, a profile can be configured to automatically enable protections based on user defined criteria by selecting Activate according to IPS Policy in the Profile's General properties.

When the IPS Policy activates a protection, the protection will enforce the action set in the IPS Mode, either Detect or Prevent. In some instances a protection will be set to Detect if it meets the criteria to be set to Inactive but does not support the Inactive status

There are numerous protections available in IPS. It will take some time to become familiar with those that are relevant to your environment; some are easily configured for basic security without going too deeply into the details of the threat and the protection. Many protections can be safely activated automatically.

It is recommended that you allow IPS to activate protections according to the IPS policy in the beginning. Then you can manually modify the protection settings as needed according to your monitored traffic.

To automatically activate protections in a profile:

In the Profiles page, double-click a profile, or click New to create a new profile.
Select IPS Policy.
Set automatic activation by type:
- Client Protections: activate protections specific to clients.
- Server Protections: activate protections specific to servers.
- Both: all protections will be activated, except for those that are:
  - Excluded by the options selected here
  - Application Controls or Engine Settings
  - Defined as Performance Impact — Critical
Set activation according to protection criteria. In the Protections to Deactivate area, select relevant criteria and then select the value that fits:
- Protections have severity: Activate protections only if their Severity level is higher than the value you select in the drop-down list.
  For example: you can set protections with low severity to not be activated automatically (Do not activate protections with severity Low or below). You can always activate the protections that you want later, if analysis proves they are needed.
- Protections have confidence level: Activate protections only if their Confidence Level is higher than the selected value.
  For example: Do not activate protections if with confidence-level Low or below. The higher the Confidence Level of a protection, the more confident Check Point is that recognized attacks are indeed attacks; lower Confidence Levels indicate that some legitimate traffic may be identified as an attack.
- Protections have performance impact: Activate protections only if their Performance Impact is lower than the selected value.
  For example: Do not activate protections with performance impact High or higher. Some activated protections may cause issues with connectivity or performance. You can set protections to not be activated if they have a higher impact on gateway performance.
- Protocol Anomalies: Do not automatically activate Protocol Anomaly protections.

To exclude protection categories from the IPS Policy:

In Profile Properties > IPS Policy, select Do not activate protections in following categories and click Configure.
The Non-Auto Activation window opens.
Click Add.
The Select Category window opens.
Expand the tree nodes and select from any level the categories that you do not want to be activated by the IPS Policy.
For example, if you selected to automatically activate Server Protections and then add Syslog to the categories in the Non-Auto Activation window, the Syslog protections (such as Apply Malicious Code Protector) will not be automatically activated in this profile.
Click OK to close the Select Category window.
Click OK to close the Non-Auto Activation window.
Click OK to apply the Automatic Activation configuration and close the Profile Properties window.

Manually Activating Protections

You may need to activate protections that are not activated automatically. For example, you may have reason to suspect a specific threat against a gateway.

Note: If you manually activate protections for a profile that has Detect-Only for Troubleshooting enabled, traffic will only be blocked when the Detect-Only for Troubleshooting is disabled.

Activating Protections for All Profiles

To manually activate a protection in all profiles:

In the Protections Browser, right-click on the protection that you want to activate and select the action that you want to apply to the protection.

Activating Protections for a Specific Profile

To manually activate a protection for a specific profile:

Find the protection that you want to activate using the Protections Browser and click Edit.
Select the profile for which you want to activate this protection and click Edit.
The protection can be activated for one profile and inactive for another; thus, it will be activated for some gateways and inactive for others.

If the protection is inactive and Action according to IPS Policy: Inactive is selected, this protection is inactive due to the IPS Policy for this profile. You can override this setting or change the IPS Policy criteria. For instructions on changing IPS Policy, see Automatically Activating Protections.

To override the settings for this protection, continue with this procedure.
Select Override IPS Policy and select the action that you want to apply.
- Prevent: Activate IPS inspection for this protection and run active preventions on the gateways to which this profile is assigned.
- Detect: Activate IPS inspection for this protection, tracking related traffic and events.
- Inactive: Do not enforce this protection.
If available, configure the Additional Settings that are relevant for its individual configurations and options.
Some common settings include:
- Track: allows the administrator to define how he should be alerted about the protection.
  Examples of Track Actions: Log, Alert, Mail.
- Capture Packets: allows the packets relevant to the protection to be captured for additional analysis at a later time. The packet capture can be viewed from the event in SmartView Tracker. Note that a packet capture is automatically attached to the first log of an attack even if this option is not selected. For more information see Working with Packet Information.

Removing Activation Overrides

While configuring a profile, at any time you can manually set the activation of individual protections, overriding the automatic activation setting. If the result is not relevant, you can remove the overrides.

To remove overrides:

In the IPS tab, select Profiles.
Select a profile from the list and click Actions > Remove overrides.
A message appears:

Are you sure you want to reapply the profile's IPS Mode and Activation settings to the protections?
To confirm, click Yes.
A message appears:

All protections have been reset to the profile's settings.
Click OK.

Managing Profiles

This section covers profile management.

Assigning Profiles to Gateways

To assign a profile to a gateway:

In the IPS tab, select Enforcing Gateways.
Select a gateway and click Edit.
The IPS page of the gateway properties opens.
Select a profile from the Assign profile list.
Click OK.

View Protected Gateways by Profile

To view a list of gateways that are protected by a specific profile:

In the IPS tab, select Profiles
Select a profile from the list and click Actions > Show Protected Gateways.
The Protected Gateways window appears with the list of gateways that are assigned to the selected profile.

Viewing Profile Modification Data

You can see data about modifications made to a selected profile.

To see modification data:

In the IPS tab, select Profiles.
Select a profile from the list and click Actions > Last Modified.
The Last Modification window opens.
- Last modified at: Date and time of last modification.
- From client: Name of client machine from which the profile was modified.
- By Administrator: Username of the administrator who did the modifications.

Importing and Exporting Profiles

IPS lets you import and export profiles using the ips_export_import command from the CLI. Supported in Security Management Server and Multi-Domain Security Management environments, the command lets you copy profile configurations between management servers of the same version.

The exported profile is stored in a tar archive. The archive includes all protection settings but does not include:

Network Exceptions
Network object information that is specified in the protection settings

On a Multi-Domain Server, you must use one of these methods to set the environment in which the command will run:

Run mdsenv to set the environment (Multi-Domain Server or specific Domain Management Server) where the IPS profile is configured.
Use -p <ip> to enter the IP address of the Multi-Domain Server or Domain Management Server where the IPS profile is configured.

To export an IPS profile:

From the command line, run:

ips_export_import export <profile-name> [-o <export-file-name>] [-p <ip>]

You must enter the exact name of the profile that you want to export.

The archive will be named <profile-name>.tar and is saved to your present working directory. You can also use the -o <file-name> to give the archive a specific name.

To import an IPS profile:

From the command line, run:

ips_export_import import <new-profile-name> -f <file-name> [-p <ip>]

You must enter a name for the profile and the location of the archive. You can either import an archive that is in your present working directory or enter the exact location of the archive that you want to import.

Deleting Profiles

You can delete IPS profiles that were created by an administrator. Make sure that you do this carefully, because it can have an effect on gateways, other profiles, or SmartDashboard objects.

To delete a profile:

In the IPS tab, select Profiles.
Select the profile you want to delete and click Delete.
The message appears: Are you sure you want to delete object <profile_name>?
Click Yes.
If the profile contains references to/from other objects, another message appears:

<profile_name> is used in another object.
Are you sure you want to delete it?
Click Where Used?
The Object References window opens.

For each object that references the profile, there is a value in the Is Removable? column. If this value is Yes for all objects, you can safely delete the profile. Otherwise, you should discover the relationship before deciding to delete this profile.

Troubleshooting Profiles

IPS includes the ability to temporarily stop protections set to Prevent from blocking traffic. This is useful when troubleshooting an issue with network traffic.

To enable Detect-Only for Troubleshooting:

Select IPS > Profiles.
Select a profile and click Edit.
The Profile Properties window appears.
Select Troubleshooting.
Click on the Detect-Only for Troubleshooting icon.

Once you have done this, all protections set to Prevent will allow traffic to pass, but will continue to track threats according to its Track configuration.

Protections Browser

The Protections Browser provides quick access to IPS protections and displays them with a summary of important information and usage indicators.

Customizing the Protections Browser View

The Protections page shows a table of the protections, with each column a different type of information.

Column	Description	See for details

Protection	Name of the protection
Category	Protocol category and bread-crumbs to find the protection in the category tree
Severity	Probable severity of a successful attack on your environment	Severity
Confidence Level	How confident IPS is that recognized attacks are actually undesirable traffic	Confidence Level
Performance Impact	How much this protection affects the Security Gateway's performance	Performance Impact
Industry Reference	International CVE or CVE candidate name for attack
Release Date	Date the protection was released by Check Point
Protection Type	Whether the protection is for servers, clients, or both	Type
Follow Up	Whether the protection is marked for Follow Up	Tracking Protections using Follow Up
Follow Up Comments	Text to comment on the protection
Products	Type of IPS enforcement
<profile_name>	Activation setting of the protection in the profile	Protection Mode

To change which columns are visible:

Click View > Customize.
The Customize window opens.
Any column you do not want to appear, move to the Available fields list; any you do want to see, let them remain in the Visible fields list.
Click OK.

Finding Protections

Use the Protections page for filtering the complete protections list. You can filter by protection name, CVE number, or by any information type that is displayed in the columns.

To filter by protection name:

Leave the Search In box at the default All, or select Protection.
Start to type the name in the Look for text box.
The displayed list filters as you type. Note that the results include not only the name of the specific protection, but also the category tree in which it is contained.

For example, to see ICMP protections, type icmp in Look for, and select Protection in Search In. The list shows protections that have ICMP in their name, and all protections in the Network Security > IP and ICMP category. If you hover over a listed protection, the category tree is shown as a tooltip.

Filtering Protections

You can filter the list of protections by any criteria that is displayed in the Customizing the Protections Browser View table.

To filter by any information:

Select the information type from the search In drop-down menu.
By default, the search will return protections that have your search term in any field.
In the Look for text box, type a value for the information.
For example, to see only protections who have a value of Severity: Critical, type critical in Look for and select Severity in In.

Sorting Protections

Filtering by information type has a draw-back: you have to know valid values for the information. In the beginning, you might find it more convenient to sort the list rather than filter it.

To sort the protections list by information:

Click the column header of the information that you want.

For example, to see protections ordered by Severity, beginning with Critical, click the Severity column header.

Advanced Sorting

You can sort the list with multiple criteria: first sort by criteria A and then by criteria B.

For example, if you wanted to see protections that are marked for Follow Up, but you want to start with the most critical protections, you can sort by Follow Up and by Severity.

To sort by multiple values:

Click View > Sort.
The Sort window opens.
Choose the column headers by which you want to sort the list and then click OK.

Exporting Protections List

To enable administrators to analyze protections in alternative applications, you can export the Protections list as a comma-delimited file. The exported information includes all protections, with all table fields regardless of any applied sorting or filtering.

To export the Protections list:

Click View > Export View.
In the Save As dialog box, provide a filename and click Save.

Protection Parameters

Most protections have graded parameters, provided to help you decide which protections to activate for security and which can be safely deactivated, for connectivity and performance.

The protection parameters and their values for a specific protection appear at the top of the protection window.

Parameter	Indicates	Values
Type	Type of machine that can be affected/protected	Signature, Protocol Anomaly, Application Control, Engine Settings
Severity	How severely a successful attack would affect your environment	Low, Medium, High, Critical
Confidence Level	How well an attack can be correctly recognized	Low, Medium-Low, Medium, Medium-High, High
Performance Impact	How much this protection affects the gateway's performance	Low, Medium, High, Critical
Protection Type	Type of machine that can be affected/protected	Servers, Clients, Servers and Clients

Type

The Type is whether the protection is a Signature, Protocol Anomaly, Application Control, or Engine Setting.

Types

Type	Description	Usage Example
Signature	Prevent or detect threats by identifying an attempt to exploit a specific vulnerability	Microsoft Message Queuing contains a vulnerability that could allow an attacker to remotely execute code; you activate the applicable Microsoft Message Queuing protection to protect against such an attack.
Protocol Anomaly	Prevent or detect threats by identifying traffic that does not comply with protocol standards	An attacker can send HTTP packets with invalid headers in an attempt to gain access to server files; you activate the Non-Compliant HTTP protection to protect against such an attack.
Application Control	Enforce company requirements of application usage	Your organization decides that users should not use Peer to Peer applications at the office; you activate the Peer to Peer Application Control protections.
Engine Setting	Configure IPS engine settings	Configuring settings will influence other protections; be sure to read any notes or warnings that are provided.

IPS protections are divided by these types in the IPS tree under Protections > By Type.

For example, view all Application Controls supported by IPS by selecting Protections > By Type > Application Control.

Protection Mode

Each protection has a mode, which determines whether IPS inspects packets for this protection, and if so, what it does if the packet matches a threat symptom.

	Inactive:	Packets are not inspected for this protection.
	Active:	Packets are inspected and actions taken (depending on Detect or Prevent).
	Prevent:	Packets are inspected and threatening packets or connections are dropped.
	Detect:	Packets are inspected and threatening packets or events are tracked.

The next sections, that explain the protections in detail, assume that the protection is Activated, to explain the configuration options that are available only when the protection is Active.

If the IPS policy settings cause a protection to be Inactive, and you want to activate it, select Override with the action: and choose Prevent or Detect from the drop-down list.

Some protections may be Partially active: the protection settings configured to activate the protection for specific protocols or situations, leaving it inactive for others. For example, in DNS - General Settings, you can select to activate DNS protections only for TCP or only for UDP, so the protections in the DNS category are Partially active. If you select to activate DNS protections for both TCP and UDP, the protections will be Active.

The mode of a protection is per-profile. See Managing Profiles.

Severity

You should activate protections of Critical and High Severity, unless you are sure that you do not want this particular protection activated.

For example, if a protection has a rating of Severity: High, and Performance Impact: Critical, you might want to determine whether the protection is necessary for your specific environment before activating the protection.

Confidence Level

Some attack types are more subtle than others, and legitimate traffic may sometimes be mistakenly recognized as a threat. The confidence level value indicates how well this particular protection can correctly recognize the specific attack.

The Confidence parameter can help you troubleshoot connectivity issues with the firewall. If legitimate traffic is blocked by a protection, and the protection has a Confidence level of Low, you have a good indication that more specific configurations might be needed on this protection.

Performance Impact

Some protections by necessity use more resources or apply to common types of traffic, causing an adverse effect on the performance of the gateways on which they are activated.

Note -The Performance Impact of protections is rated based on how they will affect gateways of this version running SecurePlatform and Windows operating systems. The Performance Impact on other gateways may vary from the rating listed on the protection.

For example, you might want to ensure that protections that have a Critical or High Performance Impact are not activated unless they have a Critical or High Severity, or you know the protection is specifically needed.

If your gateways experience heavy traffic load, be careful about activating High/Critical Performance Impact protections on profiles that affect a large number of mixed (client and server) machines.

Using the value of this parameter to decide upon an optimal protection profile will prevent overloading your gateway resources.

Protection Type

Signature and Protocol Anomaly protections are designed to protect against threats that target either Servers or Clients. You can use this information to define a profile that will only focus on the threats that can exploit the network resources behind your enforcing gateway, thereby reducing the performance impact on the gateway and the amount of logs which the gateway will produce.

For example, if you have an enforcing gateway which protects servers in a DMZ, you can apply a profile that deactivates the Client protections because the client vulnerabilities are most likely not present on the protected resources.

Protected Servers

Certain protections are designed to inspect traffic based on the type of server that the traffic is coming to or from. To allow these protections to identify the traffic that should be inspected, IPS requires you to identify the DNS, Web and Mail servers you want to protect.

DNS Servers

The DNS protocol protections prevent illegal DNS packets over TCP or UDP, prevents users from accessing blocked domain addresses, protect from DNS Cache Poisoning, and block DNS traffic to non-DNS destinations.

These protections will only apply to servers that are defined as DNS Servers in Protections > By Protocol > IPS Software Blade > Application Intelligence > DNS > DNS Servers View.

Defining DNS Servers

Configure a list of DNS servers in your environment to ensure that IPS enforces the DNS protections on the relevant devices.

To define a host as a DNS server:

Make sure the host is defined as a SmartDashboard object.
In the DNS Servers View, click Add to add another host to the list of DNS servers.
Select the host that you want to add to the DNS server list.
- Click Edit to view or change the properties of the host before defining it as a DNS server.
- Click OK to add the host to the list of DNS servers.

Editing DNS Servers

After a host is defined as a DNS server (added to the DNS Servers View list), it gains the DNS Server properties in its Host Node properties.

To edit a DNS server:

Select the host in the DNS Servers View list and click Edit.
In the left-hand category tree of the Host Node window, click Protections under the DNS Server category.

The Protections page displays a note that although you can select specific security settings for this server, the enforcement of this protection depends on the IPS profile to which this server is assigned. See "IPS Profiles" for more information on profiles.

Web Servers

The Web protocol protections prevent attacks that use web protocols and vulnerabilities to damage your network or use your network resources to attack other networks. Web servers require special protection from these attacks.

You can manage the use of these protections on Web Server from Protections > By Protocol > IPS Software Blade > Web Intelligence > Web Servers View.

Defining Web Servers

Configure a list of Web servers in your environment to ensure that IPS enforces the Web Server protections on the relevant devices.

To define a host as a Web server:

Make sure the host is defined as a SmartDashboard object.
In the IPS tab, open Protections > By Protocol > Web Intelligence > Web Servers View.
Click Add to add another host to the list of Web servers.
Select the host that you want to add to the Web server list.
- Click Edit to view or change the properties of the host before defining it as a Web server.
- Click OK to add the host to the list of Web servers.

Editing Web Servers

After a host is defined as a Web server (added to the Web Servers View list), it gains the Web Server properties in its Host Node properties.

To edit a Web server:

Select the host in the Web Servers View list and click Edit.
In the left-hand category tree of the Host Node window, click Protections under the Web Server category.
The Protections page displays a note that although you can select specific settings for this server, the enforcement of this protection depends on the IPS profile to which this server is assigned. See IPS Profiles for more information on profiles.

Mail Servers

The Mail protocol protections prevent improper POP3, IMAP and SMTP traffic from damaging your network.

These protections will only apply to servers that are defined as Mail Servers in Protections > By Protocol > IPS Software Blade > Application Intelligence > Mail > Mail Servers View.

Defining Mail Servers

Configure a list of Mail servers in your environment to ensure that IPS enforces the Mail protections on those devices.

To define a host as a Mail server:

Make sure the host is defined as a SmartDashboard object.
In the IPS tab, open Application Intelligence > Mail > Mail Servers View.
Click Add to add another host to the list of Mail servers.
Select the host that you want to add to the Mail server list.
Click OK to add the host to the list of Mail servers.

Editing Mail Servers

After a host is defined as a Mail server (added to the Mail Servers View list), the Mail Server properties page is added to the object's Host Node properties.

To edit a Mail server:

Select the host in the Mail Servers View list and click Edit.
Click Protections under the Mail Server category.

The Protections page displays a note that, although you can select specific security settings for this server, the enforcement of this protection depends on the IPS profile to which this server is assigned.

Top of Page

Download PDF

Send Feedback