CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 3 of 3

Thread: IPS Gateway Protection Scope expected behavior, R75.40

  1. #1
    Join Date
    2009-04-27
    Posts
    15
    Rep Power
    0

    Default IPS Gateway Protection Scope expected behavior, R75.40

    Hello,

    according to R75.40 IPS Administration Guide, the setting:

    Protect internal hosts only: if you have configured the Topology for your gateway in the gateway's properties, the gateway will only inspect traffic passing from the external interface to an internal interface.

    should result in IPS ignoring network traffic directed to an internal interface, when coming form another internal interface. However I'm observing a lot of log entries, including IPS deny, related to private IPs belonging to internal networks for both source and destination.

    Is this the expected behavior or there is something wrong in my configuration?

    I tend to exclude possible IPS bugs, as the supposed problem is so macroscopic to the point someone else should have detected this leaving some tracks somewhere. I found none.

    Thank you for answering,

  2. #2
    Join Date
    2012-04-22
    Posts
    5
    Rep Power
    0

    Default Re: IPS Gateway Protection Scope expected behavior, R75.40

    Hi,

    This is an expected behavior.
    When protecting hosts only, we also inspect internal to internal traffic, since the “victim” is still an internal host.

    thanks,

    Uriel

  3. #3
    Join Date
    2009-04-27
    Posts
    15
    Rep Power
    0

    Default Re: IPS Gateway Protection Scope expected behavior, R75.40

    This is an expected behavior.
    When protecting hosts only, we also inspect internal to internal traffic, since the “victim” is still an internal host.


    Nope. This is CP answer to this case:

    "The definition in help section and manual is consistent. If you choose internal host only, than it will protect the traffic from outside of external interface. However, you claimed that you see IPS logs that showing inspection between internals and it should not work like this. Would you mind to share the logs from tracker and the screenshot of your topology?"

Similar Threads

  1. Active Directory/Check Point expected behavior?
    By phreakyphish in forum SmartDirectory/LDAP/Active Directory
    Replies: 1
    Last Post: 2012-05-11, 05:24
  2. Odd Traffic Behavior R75.30, Power-1 HA setting.
    By rmmagow in forum Miscellaneous
    Replies: 3
    Last Post: 2012-04-17, 11:40
  3. bad behavior VPN between 2 gateway managed by the same smartcenter
    By G-unit in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2012-01-10, 19:47
  4. Replies: 9
    Last Post: 2011-11-16, 12:44
  5. IPS Protection Scope
    By avilT in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2011-04-14, 00:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •