Policy Insights - Threat Prevention

1

Deactivated Blade

Security Gap Detection

Any Gateway Misconfiguration

Description

Identifies gateways where a threat prevention blade (Anti-Bot, Anti-Virus, IPS, Threat Emulation, Zero Phishing, Threat Extraction) is installed but not enabled in any active profile.

Severity

Level	Condition
HIGH	Blade not enabled in ANY profile across ALL layers
MEDIUM	Blade not in this layer but IS enabled in another layer

Confidence

HIGH — Direct policy analysis

Finding Example

The Anti-Bot blade is installed on gateway "GW-Paris" but is not enabled in any profile. This leaves your gateway without bot and command-and-control protection.

Remediations

Manual

Enable the blade in the appropriate profile and install policy.

2

Global Detect Mode

Blade Set to Detect Only

Any Gateway Misconfiguration

Description

Identifies gateways with blades set to "Detect only" mode (threats logged but not blocked) and exception rules set to Detect/Inactive that apply to all traffic.

Severity

Level	Condition
HIGH	Gateway blade in DETECT_ONLY mode or exception applies to all traffic

Finding Example

The IPS activation mode on security gateway "FW-Main" is set to Detect only. In this mode, threats are logged but not actually blocked.

Remediations

Manual

Change the blade activation mode from "Detect Only" to "Prevent".

3

IPS Staging Mode

New Protections in Detect Mode

Any Gateway Misconfiguration

Description

Identifies profiles using IPS Staging mode for extended periods. Newly updated protections run in detect-only mode instead of actively preventing threats.

Severity

Level	Condition
MEDIUM	Part of the Profiles using IPS Staging mode
HIGH	All Profiles in layer using IPS Staging mode

Finding Example

The profile "Production-Web" sets new IPS protections to "Detect mode". This may reduce security and allow zero-day attacks to bypass the security gateway without inspection.

Remediations

Automatic

Switch from Staging to Active mode.

set-threat-profile {"uid": "...", "ips-settings": {"newly-updated-protections": "Active"}}

4

Blade Exception Not at Top

Exception Ordering Optimization

Any Gateway Policy Optimization

Description

Identifies threat prevention exceptions not optimally positioned at the top. Reduces connection acceleration performance.

Severity

Level	Condition
LOW	All cases (performance optimization)

Finding Example

Blade Exception no. 5 ("excep test") in "cluster_exceptions" group for IPS and Anti-Virus blades is not located at the top of the Global exceptions, which reduces connection acceleration.

Remediations

Automatic

Move the exception to the top.

set-threat-exception {"uid": "...", "position": "top"}

5

Frequently Matched Exception

Exception with High Match Count

R82.10+ Policy Optimization

Description

Identifies blade exceptions frequently matched with DETECT/INACTIVE actions, and IPS overrides with low match counts (potential real attacks).

Severity

Type	Level	Condition
Blade Exception	HIGH	≥50,000 matches OR any rule
Blade Exception	MEDIUM	≥20,000 matches
Override	HIGH	≤5 matches (potential attack)
Override	MEDIUM	≤20 matches

Finding Example

The "Apache Log4j Remote Code Execution (CVE-2021-44228)" IPS protection (associated with CVE-2021-44228) has a Detect override in profile "Production-Web". 3 incidents were detected in the last 2 weeks, suggesting this may be a real attack being logged but not prevented. This protection has severity "Critical".

Remediations

Automatic

Re-enable the protection by deleting the override.

set-threat-protection {"uid": "...", "overrides": {"remove": "ProfileName"}}

6

IPS Override Without Track

Protection Override with No Logging

Any Gateway Misconfiguration

Description

Identifies IPS protections with override settings that have track="none". No logs generated, reducing threat visibility.

Severity

Level	Condition
LOW – MEDIUM	Based on protection performance impact level

Finding Example

The "SQL Injection Attack" IPS protection is configured with an override, and the "Track" setting is set to "None" in the following profiles: "Production-Web", "DMZ-Policy", "External-Facing".

Remediations

Automatic – Enable Logging

Change Track to "Log".

set-threat-protection {"uid": "...", "overrides": [{"profile": "...", "track": "log"}]}

Automatic – Disable Protection

Change Override's action to "Inactive"

set-threat-protection {"uid": "...", "overrides": [{"profile": "...", "action": "Inactive", "track": "none"}]}

7

Adaptive IPS (High CPU)

Protection Causing High CPU

R82+ Profile Tuning

Description

Identifies IPS protections causing high CPU utilization (via Adaptive IPS Report logs) with no blocked traffic. Requires R82.10+ for Adaptive IPS feature.

Severity

Level	Condition
HIGH	High CPU, no prevent logs, Adaptive IPS not working
MEDIUM	Adaptive IPS already took action

Finding Example

Gateway "GW-Main" experienced high CPU from IPS protection "HTTP Header Injection". No traffic blocked in 3 months.

Remediations

Automatic – Enable Adaptive IPS

Auto-disable high-CPU protections during load.

set-generic-object {"uid": "...", "isBypassSdUnderLoad": "true"}

Automatic – Disable Protection

Disable "SSL Heartbleed Attack" IPS protection in the profiles assigned to this gateway: "Optimized".

set-threat-protection {"name": "...", "overrides": { .. "action": "Inactive" }

8

Heavy Protections by PM Stats

Critical Performance Impact

Any Gateway Profile Tuning

Description

Identifies IPS protections with critical performance impact from Pattern Matcher (PM) statistics. Tier 1 high execution time (>60s), LSS-only high prequeue (>1B).

Severity

Level	Condition
HIGH	All cases – critical impact, no prevent logs

Finding Example

The "Microsoft SMB Remote Code Execution" IPS protection has a critical performance impact on your system, based on its metadata and real-time statistics. This protection has not generated any "Prevent" logs over the last 6 months.

Remediations

Automatic

Disable protection to improve performance.

set-threat-protection {"uid": "...", "overrides": [{"profile": "...", "action": "Inactive"}]}

9

Outdated IPS Protection

Legacy Protection with No Activity

Any Gateway Profile Tuning

Description

Identifies IPS protections released 7+ years ago targeting legacy vulnerabilities with no logs. Limited to top 10% (max 10) per run.

Severity

Level	Condition
MEDIUM	15+ years old OR in cpdiag OR 10-15 years old
LOW	7-10 years old, no other factors

Finding Example

The "Microsoft IIS WebDAV Buffer Overflow (MS03-007)" IPS protection was last updated in 2009. No logs in 6 months.

Remediations

Automatic

Disable the outdated protection.

set-threat-protection {"uid": "...", "overrides": [{"profile": "...", "action": "Inactive"}]}

Manual

Disable all protection from this year (by IPS tags).

10

Unused Detect Override

Detect Override with No/Few Logs

Any Gateway Profile Tuning

Description

Identifies DETECT overrides that may be security gaps – protections that should be in PREVENT mode. Candidates: 0 logs or ≤5 logs in 2 weeks.

Severity

Protection Severity	Logs (2 weeks)	Insight
High/Critical	1-5 logs	HIGH
High/Critical	0 logs	MEDIUM
Medium	0-5	MEDIUM
Low	0-5	LOW

Finding Example

The "Apache Log4j RCE" IPS protection has Detect override. 3 incidents detected in 2 weeks – may be real attack not prevented.

Remediations

Automatic

Restore to Prevent mode.

set-threat-protection {"uid": "...", "overrides": {"remove": ["ProfileName"]}}

Manual

If this protection was set to Detect for testing purposes, consider restoring it to Prevent mode to ensure full protection. If the override was set due to false positives, verify the issue has been resolved before removing the override.

11

Unused/Reused Port IPS

Port-Based IPS Optimization

R82.10+ Profile Tuning

Description

Unused Ports: Blocked by Access Control but still have IPS – add exceptions.
Reused Ports: Previously unused now active with IPS exceptions – remove exceptions.

Severity

Type	Level	Reason
Unused Port	MEDIUM	Performance optimization
Reused Port	HIGH	Security gap – bypassing IPS

Finding Example

Unused: Gateway "GW-Main" has IPS on ports 8080, 8443 blocked by Access Control. Add exception to reduce CPU. Reused: Gateway has IPS exceptions for ports 443, 8080 now in use. Remove exceptions to restore protection.

Remediations

Automatic – Add Exception (Unused)

Add IPS exception for unused ports.

add-threat-exception {"layer": "...", "position": "top", ...}

Manual – Remove Exception (Reused)

Remove IPS exception to restore protection.