PDA

View Full Version : Recommended and Default Profile



dawsicheckpoint
2015-11-06, 07:12
Hi, unfortunately I have come across a client that has modified the default / Recommended profiles directly.

Is there a way to revert back to the what the CheckPoint recommendations are?

Cory Webb
2015-11-06, 19:24
the easiest way would be to create a new profile and then just copy the config from demo mode but why would you want to revert back to the recommended protections? for IPS u really should have it configured to whats best suited for the environment. is there any particular reason for reverting..

jflemingeds
2015-11-06, 22:00
My money is on debugging high cpu related to IPS.

Cory Webb
2015-11-07, 01:32
My money is on debugging high cpu related to IPS.

If i were a betting man Id say so too and if that is why dawsicheckpoint then i wouldnt bother with trying to revert cus the default and recommended profiles set use the prevent/detect for all protection respectively which uses about the same amount of CPU processing power so you'd still need to figure out which ones you could possible turn off....

evanc
2015-11-10, 04:48
The best approach would be to tell IPS what applications are crucial in your network and also include protective measure (dos etc). That way all the non related protections won't ever be in effect (such as Novell or symantec if that is not in your network for eg)

PhoneBoy
2015-11-10, 18:19
The performance benefit you gain from tuning IPS signatures is pretty minimal when you consider most of the overhead comes from enabling IPS.
In large customers in particular, the security team often has no idea what servers are to be “protected” as the applications group is another silo and there's no communication.
The problem only gets worse when you add virtualization into the mix where servers can be spun up/down quickly often with no communication to the security team.
Not to say you shouldn't tune your IPS--you need to handle false positives and the like--but it should be viewed as a continual process, not a "once and done" activity.