IPS Protections

Protection Browser

The Protection browser displays the available IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protection types, along with a summary of key information and usage indicators.

These are some of the default columns in the IPS protections summary table.

Column	Description
Protection	Name of the protection. A description of the protection type appears in the bottom section of the pane.
Industry Reference	International CVE or CVE candidate name associated with the attack.
Performance Impact	Indicates how the protection affects Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. performance. If available, shows an exact figure. Some protections require more resources or apply to common traffic types, which can negatively affect Security Gateways performance. For example, if your Security Gateways experience a heavy traffic load, be cautious about activating High or Critical Performance Impact protections on profiles that affect a large number of mixed (client and server) devices.
Severity	Indicates the probable severity of a successful attack on your environment. You should generally activate protections with Critical or High Severity, unless you are sure that the protections are not needed. For example, if a protection is rated with High Severity and Critical Performance Impact, evaluate its necessity for your environment before activating it.
Confidence Level	Indicates how accurately IPS identifies the attack. A Low Confidence Level increases the chance of false positives, which can lead to connectivity issues, such as blocked applications or disrupted services. Review protections with a Low Confidence Level to troubleshoot these issues and adjust configurations as needed.
Profile_Name	The Action set for the protection in each IPS profile.

To add or remove columns from the IPS Protections view:

Right-click the table header, and select or clear the applicable columns.

To change the display of profile columns:

1. In the top tool bar of the IPS Protections view, select View > Show Profiles

   The Show Profiles window opens.

2. Select which profiles to display:

   • All IPS enabled profiles used in the Custom Threat Prevention policy, or

   • Specified IPS enabled profiles - Select the applicable profiles from the list.

Exporting the IPS Protections View

You can export the IPS Protections view to a csv file. SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. exports only the columns that are visible in the IPS Protections view at the time of export.

To export the IPS Protections view:

1. Go to Actions > Export view.

2. Select a location to save the exported file.

Protection Types

The IPS protections are divided into two main types:

• Core protections - These protections are included in the product and are assigned per gateway. They are part of the Access Control policy.

• ThreatCloud protections - Updated from the Check Point cloud (see Updating IPS Protections). These protections are part of the Threat Prevention policy.

Browsing IPS Protections

The IPS Protections summary lets you quickly browse all IPS protections and their settings.

You can search the IPS Protections page by protection name, engine, or by any information type that is shown in the columns.

To sort the protections list by information

Click the column header of the information you want.

Updating IPS Protections

Check Point constantly develops and improves its protections against the latest threats. You can immediately update IPS with real-time information on attacks and all the latest protections. You can manually update the IPS protections and also set a schedule when updates are automatically downloaded and installed. IPS protections include many protections that can help manage the threats against your network. Make sure that you understand the complexity of the IPS protections before you manually modify the settings.

Notes: To enforce the IPS updates, you must install the Threat Prevention Policy. When you assign or reassign a global configuration while an IPS update runs on a Domain, you may get an "Internal error occurred" error. To resolve this issue: Connect with SmartConsole to the Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. Run the IPS update. Close the SmartConsole which is connected to the Domain Management Server. In the global SmartConsole, assign or reassign the global configuration.

Scheduling IPS Updates

You can configure a schedule for downloading the latest IPS protections and protection descriptions (see Threat Prevention Scheduled Updates - Custom Threat Prevention).

Reverting to an Earlier IPS Protection Package

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.

Reviewing New Protections

IPS Protections Follow Up

The follow up mark lets you monitor specific IPS protections according to your selection. After you select the protections you want to monitor, you can filter for them in the IPS Protections page and not have to search for them again.

Manually Marking Protections for Follow Up

You can mark individual protections for Follow Up, which lets you quickly review the identified protections in the IPS Protections page. To make the Follow Up feature efficient, make sure to keep the list of marked protections as short as possible.

Mark newly downloaded protections and any protection that you want to monitor, but remember to remove protections from this list when you are more confident that you configured them in the best way for your environment. The longer the Follow Up list is, the more difficult it is to use it as a workable task list

To manually mark protections for follow up:

In the IPS Protections page, select one or more protections, right-click and select Follow Protection from the menu.

To unmark the protection, right-click the protection and clear Follow Protection.

Each time the IPS protections are updated, they are automatically marked for follow up. To unmark the protections for follow up, click Unfollow Protections. To unmark all marked protections, go to Actions > Cleanup Options > Remove All Follow Up Flags.

Note - You can add significant information about a protection in the protection's comment field. To add a comment to a protection, double-click a protection and enter you comment in the Enter Protection Comment field, below the protection's name. You can only add comments to ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. protections (and not Core protections). You can enter information such as the package version or date of update, which is useful because you can search for it at a later date.

Automatically Marking New Protections for Follow Up

Check Point provides new and updated protections as they become available (see Updating IPS Protections). To give you complete control over the process of integrating new IPS protections, you can have them automatically marked for Follow Up, which gives you time to evaluate the impact the protections have on your environment.