Difference between revisions of "Dynamic block rules for IPS events"
From Tech-Wiki
(Created page with "Category:Check Point '''Back to Gaia''' The same way you can configure a rule to log, alert by mail, you can set an IPS rule to run some command. For...") |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
This will set an automatic rule (for all Security Gateways managed by this Security Management Server) with the Source IP address of the host that caused a hit on the IPS protection during 1 hour | This will set an automatic rule (for all Security Gateways managed by this Security Management Server) with the Source IP address of the host that caused a hit on the IPS protection during 1 hour | ||
− | In summary: | + | In summary, set this action: |
Run UserDefined script: sam_alert -t 3600 -I -src | Run UserDefined script: sam_alert -t 3600 -I -src | ||
Line 12: | Line 12: | ||
Steps: | Steps: | ||
− | + | # In SmartDashboard, go to IPS tab - click on Protections | |
+ | # Search for Host Port Scan | ||
+ | # Double-click on the Host Port Scan protection | ||
+ | # Double-click on the relevant IPS profile (that is assigned to the involved Security Gateway) | ||
+ | # Select Override IPS Policy with - select Detect | ||
+ | # In the Track field, select User Defined Alert no. 1 | ||
+ | # Set the desired Detection Sensitivity | ||
+ | # Click on OK to apply the changes and return to SmartDashboard main window | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
And now configure an automatic SAM rule to close the port scanning connections: | And now configure an automatic SAM rule to close the port scanning connections: | ||
− | + | # In SmartDashboard, go to Policy menu - click on Global Properties... | |
− | + | # Expand Log and Alerts - click on Alerts | |
− | + | # Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor) | |
− | + | # Add an automatic SAM rule: | |
− | + | ||
− | + | ||
− | + | ||
sam_alert -t 3600 -I -src | sam_alert -t 3600 -I -src |
Latest revision as of 20:52, 18 July 2017
The same way you can configure a rule to log, alert by mail, you can set an IPS rule to run some command. For example, block the offender (dynamic blacklist).
This will set an automatic rule (for all Security Gateways managed by this Security Management Server) with the Source IP address of the host that caused a hit on the IPS protection during 1 hour
In summary, set this action:
Run UserDefined script: sam_alert -t 3600 -I -src
Steps:
- In SmartDashboard, go to IPS tab - click on Protections
- Search for Host Port Scan
- Double-click on the Host Port Scan protection
- Double-click on the relevant IPS profile (that is assigned to the involved Security Gateway)
- Select Override IPS Policy with - select Detect
- In the Track field, select User Defined Alert no. 1
- Set the desired Detection Sensitivity
- Click on OK to apply the changes and return to SmartDashboard main window
And now configure an automatic SAM rule to close the port scanning connections:
- In SmartDashboard, go to Policy menu - click on Global Properties...
- Expand Log and Alerts - click on Alerts
- Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)
- Add an automatic SAM rule:
sam_alert -t 3600 -I -src