Thursday, March 15, 2018

R80.10 IPS Protections in Detect

With R80.10, the new default profile "Optimized" sets all newly downloaded IPS protections to be in state "detect (staging)" or "inactive".

1. We start with the general page. It has settings in which a protection should be in detect, prevent, or inactive.


2. Then, in the "updates" page, we see that newly downloaded protections are automatically set to "Detect". This means that:
  1. If a newly downloaded protection was supposed to be in "prevent", it will be set as "detect (staging)".
  2. If a newly downloaded protection was supposed to be in "detect", it will be set as "detect (staging)".
  3. If a newly downloaded protection was supposed to be in "inactive", it will remain inactive.

 

3. Sometimes an IPS update issues an update to an existing protection. In this case, the updated protection is back to "newly downloaded protection" state, which leaves it as either in "detect (staging)" or "inactive".



It is important to remember these things, because it requires you to manage your staging protections - otherwise they will not be in Prevent mode.

You can do that either from:

1. IPS Protections page with the filter for "Staging" status

 

2. Logs that appear in the query page for "IPS --> Staging"



You can also automate some of this work:

1. Apply additional configuration which excludes some protections from the "Detect (Staging)" status, leaving them with Prevent or Detect or Inactive.

 

2. Automatically change protections to Inactive based on tags.


3. Using the show threat-protections and set threat-protection API commands, you can create an automatic reaction which automatically changes the action from "Detect (Staging)" to "Prevent" or "Inactive" based on custom decision factors.

set threat-protection name "Aggressive Aging" overrides.remove.1 "New profile 1" overrides.remove.2 "New Profile 2"




Keeping threats from impacting your organization doesn’t have to be challenging! Join Threat Prevention Expert Nick McKerral to learn how to implement Threat Prevention Best Practices using Check Point Infinity:

  • Learn how to activate the IPS, AB, AV blades in R80.10
  • Learn how to activate and utilize Threat Emulation and Extraction to protect web and email
  • Learn all about Check Point’s new inline threat extraction capabilities
  • Learn about Sandblast Agent with browser based Threat Emulation, Extraction, Anti-phishing, domain credential protection capabilities, and more!

Answers to questions we did not get to during the session will be summarized and answered below.