Configuring IPS Profile Settings

Important - To ensure IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protections are enforced on HTTPS traffic, you must enable HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. in the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources./Security ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. properties in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., with inspection enabled for the respective traffic. See HTTPS Inspection.

Step

Instructions

1

In SmartConsole, select Security Policies > Threat Prevention.

2

From the Custom Policy Tools section, click Profiles.

The Profiles page opens.

3

Right-click the profile, and click Edit.

4

From the navigation tree, click IPS > Additional Activation.

5

Configure the customized protections for the profile. (See Additional Activation Fields).

6

From the navigation tree, click IPS > Pre-R80 Settings.

7

Configure the settings for newly downloaded IPS protections. (see Updates)

8
  1. From the navigation tree, click IPS > Pre-R80 Settings.
  2. Activate the applicable Client and Server protections (see Pre-R80 Settings).
  3. Configure the IPS protection categories to exclude from this profile (see Pre-R80 Settings).

Note - These categories are different from the protections in the Additional Activation page.

9

Click OK.

10

Click Install Policy.

Additional Activation Fields

For additional granularity, in the Additional Activation section of the Profile configuration window, you can select IPS protections to activate and to deactivate. The IPS protections are arranged into tags (categories) such as Product, Vendor, Threat Year, and others, for the ease of search. The gateways enforce activated protections, and do not enforce deactivated protections, regardless of the general profile protection settings.

  • Activate IPS protections according to the following additional properties - When selected, the categories configured on this page modify the profile's IPS protections.

    • Protections to activate - The IPS protection categories in this section are enabled on the Security Gateways that use this Threat Prevention profile.

    • Protections to deactivate - The IPS protection categories in this section are NOT enabled on the Security Gateways that use this Threat Prevention profile.

    These categories only filter out or add protections that comply with the activation mode thresholds (Confidence, Severity, Performance).

    For example, if a protection is inactive because of its Performance rating, it is not enabled even if its category is in Protections to activate.

Updates

There are numerous protections available in IPS. It takes time to become familiar with those that are relevant to your environment. Some are easily configured for basic security and can be safely activated automatically.

In the Threat Prevention profile, you can configure an updates policy for IPS protections that were newly updated. You can do this with the IPS > Updates page in the Profiles navigation tree.

  • Active - According to profile settings -Selected by default. Protections are activated according to the settings in the General page of the Profile. This is the Check Point recommended configuration.

    Set activation as staging mode - Newly updated protections remain in staging mode until you change their configuration. The default action for protections in staging mode is DetectClosed UserCheck rule action that allows traffic and files to enter the internal network and logs them.. You can change the action manually in the IPS Protections page. (see Activating Protections).

    Click Configure to exclude specific protections from staging mode.

  • Inactive - Newly updated protections are not activated

Best Practice - In the beginning, allow IPS to activate protections based on the IPS policy. During this time, you can analyze the alerts that IPS generates and how it handles network traffic, while you minimize the impact on the flow of traffic. Then you can manually change the protection settings to suit your needs.

Pre-R80 Settings

The Pre-R80 Settings are relevant for the pre-R80 gateways only.

Protections Activation

  • Client Protections - Select to activate protections that protect only clients (for example, personal computers).

  • Server Protections - Select to activate protections that protect only servers.

    If a network has only clients or only servers, you can enhance gateway performance by deactivation of protections. If you select Client Protections and Server Protections, all protections are activated, except for those that are:

    • Excluded by the options selected here

    • Application Controls or Engine Settings

    • Defined as Performance Impact - Critical

Excluded Protections Categories

Do not activate protections of the following categories - The IPS protection categories you select here are not automatically activated. They are excluded from the Threat Prevention policy ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that has this profile in the action of the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..