IPS Protections

In This Section: Protection Browser Protection Types Browsing IPS Protections Activating Protections Editing Core IPS Protections Updating IPS Protections

Protection Browser

The Protection browser shows the Threat Prevention Software Blades protection types and a summary of important information and usage indicators.

These are some of the default columns in the IPS protections summary table.

Column	Description
Protection	Name of the protection. A description of the protection type is shown in the bottom section of the pane.
Industry Reference	International CVE or CVE candidate name for attack.
Performance Impact	How this protection affects the performance of a Security Gateway. If possible, shows an exact figure.
Severity	Probable severity of a successful attack on your environment.
Confidence Level	How confident IPS is in recognizing the attack.
profile_name	The Activation setting for the protection for each IPS profile.

Severity

You should activate protections of Critical and High Severity, unless you are sure that you do not want the specified protection activated.

For example, if a protection has a rating of Severity: High, and Performance Impact: Critical, make sure that the protection is necessary for your environment before you activate the protection.

Confidence Level

Some attack types are less severe than others, and legitimate traffic may sometimes be mistakenly recognized as a threat. The confidence level value shows how well the specified protection can correctly recognize the specified attack.

The Confidence parameter can help you troubleshoot connectivity issues with the firewall. If legitimate traffic is blocked by a protection, and the protection has a Confidence level of Low, you have a good indication that more granular configurations might be required on this protection.

Performance Impact

Some protections require the use of more resources or apply to common types of traffic, which adversely affects the performance of the gateways on which they are activated.

Note - The Performance Impact of protections is rated based on how they affect gateways of the R80.10 version. The Performance Impact on other gateways may be different than the rating listed on the protection.

For example, you might want to make sure that protections that have a Critical or High Performance Impact are not activated unless they have a Critical or High Severity, or you know the protection is necessary.

If your gateways experience heavy traffic load, be careful about activating High/Critical Performance Impact protections on profiles that affect a large number of mixed (client and server) computers.

Use the value of this parameter to set an optimal protection profile, in order to prevent overload on the gateway resources.

Protection Types

The IPS protections are divided into two main types:

• Core protections - These protections are included in the product and are assigned per gateway. They are part of the Access Control policy.
• ThreatCloud protections - Updated from the Check Point cloud. These protections are part of the Threat Prevention policy.

Browsing IPS Protections

The IPS Protections summary lets you quickly browse all IPS protections and their settings.

To show IPS protections:

1. In SmartConsole, go to the Security Policies page and select Threat Prevention.
2. In the Threat Tools section, click IPS Protections.

You can search the Protections page by protection name, engine, or by any information type that is shown in the columns.

To filter the protections:

1. From the IPS Protections window, click the Filter icon.

   The Filters pane opens and shows IPS protections categories.

2. To add more categories:
   1. Click the Add filter button.

      A window opens and shows the IPS protections categories.

   2. Click the category.

      The category is added to the Filters pane.

3. Click one or more filters to apply to the IPS protections.
4. To show all suggested filters in a category, click View All.

To sort the protections list by information:

Click the column header of the information you want.

Activating Protections

Each profile is a set of activated protections and instructions for what IPS does if traffic inspection matches an activated protection. The procedures in this section explain how to change the action for a specified protection.

Activating Protections for All Profiles

To manually activate a protection in all profiles:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click IPS Protections.

   The IPS Protections page opens.

3. Right-click on the protection and select the action that you want to apply to all the Threat Prevention profiles.

   Make sure that the action is on all profiles.

4. Click OK and close the Threat Prevention profile window.
5. Install Policy.

Activating Protections for a Specified Profile

To manually activate a protection for a specific profile:

1. In the Protections Browser, find the protection to activate.
2. Click Edit.
3. Select the profile to activate for this protection.
4. Click Edit.

   You can activate the protection for one profile and deactivate it for another profile. It will be active for some gateways and inactive for others.

   If the protection is inactive according to the policy, you can override the policy preference or change the policy criteria.

   To override the settings for this one protection, continue with this procedure.

5. Click Override with.
6. Select the action to apply:
   • Prevent: Activate IPS inspection for this protection and run active preventions on the gateways to which this profile is assigned.
   • Detect: Activate IPS inspection for this protection, tracking related traffic and events.
   • Inactive: Do not enforce this protection.
7. Configure the Logging settings:
   • Track: Define how administrators get notifications (log, alert, mail, or other options).
   • Capture Packets: Captures packets relevant to the protection for further analysis.
8. Install Policy.

Removing Activation Overrides

You can remove the manually activated IPS protections and restore them to the profile settings. You can remove overrides on one protection, on selected protections or on all protections at the same time.

To remove IPS protection overrides on selected protections:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click IPS Protections.

   The IPS Protections page opens.

3. Click the protections in the applicable profile column.

   Note - Press CTRL to select more than one protection.

4. Right-click the highlighted cell or cells and select Restore to profile settings.
5. Select All Profiles or Displayed Profiles.

   A warning message opens.

6. Click Yes.
7. Install Policy.

To remove IPS protection overrides from all protections:

1. In the IPS Protections page, go to Actions and select Profile Cleanup.

   The Profile Cleanup window opens.

2. In the Action area, select Remove all user modified, Clear all staging, or both.
3. In the Select Profiles area, select the profiles on which to operate these actions.
4. Click OK.
5. Install Policy.

Editing Core IPS Protections

To edit core protections:

1. Go to Security Policies > Threat Prevention > Threat Tools > IPS Protections.

   Note - to filter for core protections, select Type Core in the Filters pane.

2. Right-click a core protection and select Edit.
3. Configure the required settings.
4. Install the Access Control policy.

Updating IPS Protections

Check Point constantly develops and improves its protections against the latest threats. You can immediately update IPS with real-time information on attacks and all the latest protections. You can manually update the IPS protections and also set a schedule when updates are automatically downloaded and installed. IPS protections include many protections that can help manage the threats against your network. Make sure that you understand the complexity of the IPS protections before you manually modify the settings.

Note - To enforce the IPS updates, you must install policy.

To update IPS Protections:

1. In SmartConsole, click Security Policies > Threat Prevention.
2. In the Threat Tools section, click Updates.
3. In the IPS section > Update Now, from the drop-down menu, select:
   • Download using SmartConsole (if your Security Management Server has no internet access), or
   • Download using Security Management Server.
4. Install Policy.

Manually Updating IPS Protections

To manually update IPS Protections:

1. In SmartConsole, click Security Policies > Threat Prevention.
2. In the Threat Tools section, click Updates.
3. In the IPS section > Update Now, click the drop-down menu.
4. Select Offline Update.

   The file directory opens.

5. Select the required file for the update and click Open.
6. Install Policy.

Reverting to an Earlier IPS Protection Package

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.

To revert to an earlier protection package:

1. In the IPS section of the Threat Prevention Updates page, click Switch to version.
2. In the window that opens, select an IPS Package Version, and click OK.
3. Install Policy.

Scheduling IPS Updates

You can configure a schedule for downloading the latest IPS protections and protection descriptions.

Reviewing New Protections

To see newly downloaded protections:

1. In SmartConsole, click Security Policies > Threat Prevention.
2. In the Threat Tools section, click IPS Protections.
3. Sort the protections by Update Date to see the latest protections.