CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Deploying IPS blade in Prevent mode

  1. #1
    Join Date
    2015-03-31
    Posts
    43
    Rep Power
    0

    Default Deploying IPS blade in Prevent mode

    Hi Team,

    I'm running a cluster setup with R77.30 GAIA and recently bought IPS license. Can somebody advise me the phases to deploy the IPS which will prevent any kind of unknown outages.
    I'm asking the phases which means monitoring for XYZ days, fine tuning and then prevent mode.
    Can somebody tell me what needs to be monitored on initial days and what kind of fine tuning required on the configuration.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,304
    Rep Power
    17

    Default Re: Deploying IPS blade in Prevent mode

    http://dl3.checkpoint.com/paid/6f/6f...7e59f&xtn=.pdf

    Is a pretty good starting point.

    If concerned about CPU load

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk43733&partition=Advanced&product=IPS"

    Is pretty useful

  3. #3
    Join Date
    2015-03-31
    Posts
    43
    Rep Power
    0

    Default Re: Deploying IPS blade in Prevent mode

    Hi Mcnallym,

    Thanks for the reply. I will go through the guide mentioned by you and will post in case i struck somewhere.

    Once again thanks a ton!

    Ram T S

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Deploying IPS blade in Prevent mode

    The IPS tuning guide is very good and elaborate.

    Yet, the approach can be simplified a bit, to start easy.

    1. Get default profile and modify it to put all protections to "detect only", where possible. Some classic ones can be Protect only, but there is nothing you can do
    2. See if you have no errors on the traffic you consider legit. If yes, drill down to understand why.
    3. Assess your needs and pit-point set of protections/protocols/servers you need to protect. You most probably don't need 100% of IPS capabilities.
    4. Slowly scale up those you need.
    5. always set new protections to detect only and observe the logs before enabling actual protect mode
    6. Be extremely cautious with protections that are marked for high CPU impact
    7. at any steps above, observe CPU utilization with top and/or cpview commands before and after every change, to make sure FW performance parameters are still okay
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. ips profile mode - detect and prevent
    By evanc in forum IPS Blade (Formerly SmartDefense)
    Replies: 3
    Last Post: 2015-12-01, 22:16
  2. AntiVirus/Antibot Blade failing to sync in Cluster mode
    By Stuart.Tr in forum Check Point Firewall Administrator's Toolkit
    Replies: 3
    Last Post: 2015-01-17, 16:43
  3. Deploying Anti-Bot Blade
    By brierw in forum Anti-Bot Software Blade
    Replies: 2
    Last Post: 2014-10-02, 01:01
  4. Record in Blade Price for DLP Blade $12000 ~ $12.500 SG401 Container
    By serlud in forum Data Loss Prevention Blade (DLP))
    Replies: 6
    Last Post: 2010-04-20, 19:00
  5. help deploying integrity client
    By ne0_2k in forum Secure Access
    Replies: 4
    Last Post: 2007-10-30, 16:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •