Doubts on IPS

[ankda14]

Hi All,

I was going through IPS blade on checkpoint R80.10. To test IPS i deployed windows XP SP3 machine at inside side of firewall and a kali linux on outside side of firewall. I created a access rule from kali to xp and allow all traffic.

In IPS blade, the default policy is installed with profile optimized.

To test if IPS detect an attack, i used famous ms08-067 exploit.

For this specific exploit in IPS protection, i changed action to prevent first for optimized profile and installed the policy.

I ran exploit through metasploit and expolit didn't worked and in logs IPS prevented it.

Now i change the action to detect for optimized profile in IPS protection and again installed the policy.

Again run the exploit through metasploit but again it didn't worked and in logs again IPS is preventing it.

i don't know if i am missing something or we need to make some more modifications somewhere.

The objective is i want this exploit to run and IPS just detect and log it.

Kindly help me here.

Thanks.

[PhoneBoy]

Pretty sure that the default action for the MS08-067 protection is Optimized or Strict profiles is Prevent.
Did you install the Firewall policy or the Threat Prevention policy?
Note for R80.10+ gateways, you need to install the Threat Prevention policy if you make changes to the IPS Policy (in earlier releases, you push the Firewall/Access Control policy).