CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 4 of 4

Thread: Deploying IPS blade in Prevent mode

  1. #1
    Join Date
    Rep Power

    Default Deploying IPS blade in Prevent mode

    Hi Team,

    I'm running a cluster setup with R77.30 GAIA and recently bought IPS license. Can somebody advise me the phases to deploy the IPS which will prevent any kind of unknown outages.
    I'm asking the phases which means monitoring for XYZ days, fine tuning and then prevent mode.
    Can somebody tell me what needs to be monitored on initial days and what kind of fine tuning required on the configuration.

  2. #2
    Join Date
    Rep Power

    Default Re: Deploying IPS blade in Prevent mode


    Is a pretty good starting point.

    If concerned about CPU load

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk43733&partition=Advanced&product=IPS"

    Is pretty useful

  3. #3
    Join Date
    Rep Power

    Default Re: Deploying IPS blade in Prevent mode

    Hi Mcnallym,

    Thanks for the reply. I will go through the guide mentioned by you and will post in case i struck somewhere.

    Once again thanks a ton!

    Ram T S

  4. #4
    Join Date
    Rep Power

    Default Re: Deploying IPS blade in Prevent mode

    The IPS tuning guide is very good and elaborate.

    Yet, the approach can be simplified a bit, to start easy.

    1. Get default profile and modify it to put all protections to "detect only", where possible. Some classic ones can be Protect only, but there is nothing you can do
    2. See if you have no errors on the traffic you consider legit. If yes, drill down to understand why.
    3. Assess your needs and pit-point set of protections/protocols/servers you need to protect. You most probably don't need 100% of IPS capabilities.
    4. Slowly scale up those you need.
    5. always set new protections to detect only and observe the logs before enabling actual protect mode
    6. Be extremely cautious with protections that are marked for high CPU impact
    7. at any steps above, observe CPU utilization with top and/or cpview commands before and after every change, to make sure FW performance parameters are still okay

    Valeri Loukine

Similar Threads

  1. ips profile mode - detect and prevent
    By evanc in forum IPS Blade (Formerly SmartDefense)
    Replies: 3
    Last Post: 2015-12-01, 22:16
  2. AntiVirus/Antibot Blade failing to sync in Cluster mode
    By Stuart.Tr in forum Check Point Firewall Administrator's Toolkit
    Replies: 3
    Last Post: 2015-01-17, 16:43
  3. Deploying Anti-Bot Blade
    By brierw in forum Anti-Bot Software Blade
    Replies: 2
    Last Post: 2014-10-02, 01:01
  4. Record in Blade Price for DLP Blade $12000 ~ $12.500 SG401 Container
    By serlud in forum Data Loss Prevention Blade (DLP))
    Replies: 6
    Last Post: 2010-04-20, 19:00
  5. help deploying integrity client
    By ne0_2k in forum Secure Access
    Replies: 4
    Last Post: 2007-10-30, 16:50


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts