IPS Protections

Protection Browser

The Protection browser shows the Threat Prevention Software Blades protection types and a summary of important information and usage indicators.

These are some of the default columns in the IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protections summary table.

Severity

You should activate protections of Critical and High Severity, unless you are sure that you do not want the specified protection activated.

For example, if a protection has a rating of Severity: High, and Performance Impact: Critical, make sure that the protection is necessary for your environment before you activate the protection.

Confidence Level

Some attack types are less severe than others, and legitimate traffic may sometimes be mistakenly recognized as a threat. The confidence level value shows how well the specified protection can correctly recognize the specified attack.

The Confidence parameter can help you troubleshoot connectivity issues with the firewall. If legitimate traffic is blocked by a protection, and the protection has a Confidence level of Low, you have a good indication that more granular configurations might be required on this protection.

Performance Impact

Some protections require the use of more resources or apply to common types of traffic, which adversely affects the performance of the gateways on which they are activated.

Note - The Performance Impact of protections is rated based on how they affect gateways of the R80.30 version. The Performance Impact on other gateways may be different than the rating listed on the protection.

For example, you might want to make sure that protections that have a Critical or High Performance Impact are not activated unless they have a Critical or High Severity, or you know the protection is necessary.

If your gateways experience heavy traffic load, be careful about activating High/Critical Performance Impact protections on profiles that affect a large number of mixed (client and server) computers.

Use the value of this parameter to set an optimal protection profile, in order to prevent overload on the gateway resources.

Protection Types

The IPS protections are divided into two main types:

  • Core protections - These protections are included in the product and are assigned per gateway. They are part of the Access Control policy.

  • ThreatCloud protections - Updated from the Check Point cloud, (see Updating IPS Protections). These protections are part of the Threat Prevention policy.

Browsing IPS Protections

The IPS Protections summary lets you quickly browse all IPS protections and their settings.

You can search the Protections page by protection name, engine, or by any information type that is shown in the columns.

To sort the protections list by information

Click the column header of the information you want.

Activating Protections

Each profile is a set of activated protections and instructions for what IPS does if traffic inspection matches an activated protection. The procedures in this section explain how to change the action for a specified protection.

Activating Protections for All Profiles

To manually activate a protection in all profiles:

Step

Instructions

1

In SmartConsole, select Security Policies > Threat Prevention.

2

From the Custom Policy Tools section, click IPS Protections.

The IPS Protections page opens.

3

Right-click on the protection and select the action that you want to apply to all the Threat Prevention profiles.

Make sure that the action is on all profiles.

4

Click OK, and close the Threat Prevention profile window.

5

Click Install Policy.

Activating Protections for a Specified Profile

Removing Activation Overrides

You can remove the manually activated IPS protections and restore them to the profile settings. You can remove overrides on one protection, on selected protections or on all protections at the same time.

Editing Core IPS Protections

Updating IPS Protections

Check Point constantly develops and improves its protections against the latest threats. You can immediately update IPS with real-time information on attacks and all the latest protections. You can manually update the IPS protections and also set a schedule when updates are automatically downloaded and installed. IPS protections include many protections that can help manage the threats against your network. Make sure that you understand the complexity of the IPS protections before you manually modify the settings.

Notes:

Note - From R77.20, IPS purge runs automatically after every IPS update. The Security Management Server saves only the versions from the last 30 days, and deletes the others.

Scheduling IPS Updates

You can configure a schedule for downloading the latest IPS protections and protection descriptions, (see Threat Prevention Scheduled Updates).

Reverting to an Earlier IPS Protection Package

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.

Reviewing New Protections

IPS Protections Follow Up

The follow up mark lets you monitor specific IPS protections according to your selection. After you select the protections you want to monitor, you can filter for them in the IPS Protections page and not have to search for them again.

You can mark individual protections for follow up or mark all updated protections for follow up in the IPS Updates page.

Manually Marking Protections for Follow Up

You can mark individual protections for Follow Up, which lets you quickly review the identified protections in the IPS Protections page. To make the Follow Up feature efficient, make sure to keep the list of marked protections as short as possible.

Mark newly downloaded protections and any protection that you want to monitor, but remember to remove protections from this list when you are more confident that you configured them in the best way for your environment, for now. The longer the Follow Up list is, the more difficult it is to use it as a workable task list

To manually mark protections for follow up:

In the IPS Protections page, select one or more protections, right-click and select Follow Protection from the menu.

To unmark the protection, right-click the protection and clear Follow Protection.

Each time the IPS protections are updated, they will be automatically marked for follow up. To unmark the protections for follow up, click Unfollow Protections. To unmark all marked protections, go to Actions > Cleanup Options > Remove All Follow Up Flags.

Automatically Marking New Protections for Follow Up

Check Point provides new and updated protections as they become available, (see Updating IPS Protections). To give you complete control over the process of integrating new IPS protections, you can have them automatically marked for Follow Up, which gives you time to evaluate the impact the protections have on your environment.