Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Managing Gateways

In This Section:

Adding IPS Security Gateways - SmartDashboard

Managing IPS gateways - CLI

IPS protections are enforced by Security Gateways with the IPS Software Blade. The Enforcing Gateways page shows the list of all gateways enforcing IPS protections and the profile that is assigned to each gateway.

Important - The Remove button DELETES the selected Security Gateway object.

To remove a Security Gateway from the Enforcing Security Gateways page, deactivate IPS for the selected Security Gateway.

Adding IPS Security Gateways - SmartDashboard

When you enable the IPS Software Blade on a Security Gateway object, the gateway is automatically added to the list of Enforcing Gateways and it is assigned the Default Protection profile.

To create a new Security Gateway object with IPS enforcement:

  1. In SmartDashboard > IPS tab, select Enforcing Gateways.
  2. Click Add and choose Security Gateway.
  3. Select IPS Enter the properties of the Security Gateway, including selecting IPS.
    • In Classic mode, select IPS in the Network Security tab.
    • In Simple mode, select a Check Point products option that includes IPS.

The Firewall Software Blade must be enabled to enable the IPS Software Blade.

Managing IPS gateways - CLI

You can use these CLI commands to manage IPS on your Security Gateways. You must be in expert mode to use the commands.

To see all available commands:

  1. On the gateway, go to the expert mode.
  2. Type ips and press Enter.

Command

Description

ips on|off [-n]

Enable or disable IPS on the Security Gateway.

-n

Empty templates table (applies fwaccel off; fwaccel on immediately). Otherwise, this command takes effect in a few minutes.

ips stat

Show the IPS status of the Security Gateway.

ips bypass stat

Show the Bypass Under Load status.

ips bypass on|off

Enable or disable Bypass Under Load.

ips bypass set cpu|mem low|high <threshold>

Set the Bypass Under Load threshold.

threshold

Valid range is 1 to 99. Unit is percent.

ips debug [-e filter] -o <output_file>

Create an IPS debug file.
Filter valid values are the same as for fw ctl debug. Consult with Check Point Technical Support.

ips refreshcap 

Refresh the sample capture repository.

ips stats [<ip_address> -m] [-g <seconds>] [<ip_address> <seconds>]

Print IPS and Pattern Matcher performance statistics. Without arguments, runs on current Security Gateway for 20 seconds. This is a resource intensive command. Do not run it on a system with a high load.

-m

Analyzes input statistics file from Security Gateway. Give IP address of the Security Gateway. Run from the management server.

-g

Collect statistics for current Security Gateway.

seconds

period in which statistics are gathered

ips pmstats reset

Reset pattern matcher statistics.

ips pmstats -o <output_file>

Print pattern matcher statistics.

 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print