Difference between revisions of "Dynamic block rules for IPS events"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:Check Point '''Back to Gaia''' The same way you can configure a rule to log, alert by mail, you can set an IPS rule to run some command. For...")
 
 
(3 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
This will set an automatic rule (for all Security Gateways managed by this Security Management Server) with the Source IP address of the host that caused a hit on the IPS protection during 1 hour
 
This will set an automatic rule (for all Security Gateways managed by this Security Management Server) with the Source IP address of the host that caused a hit on the IPS protection during 1 hour
  
In summary:
+
In summary, set this action:
  
 
  Run UserDefined script: sam_alert -t 3600 -I -src
 
  Run UserDefined script: sam_alert -t 3600 -I -src
Line 12: Line 12:
 
Steps:
 
Steps:
  
A. In SmartDashboard, go to IPS tab - click on Protections
+
# In SmartDashboard, go to IPS tab - click on Protections
 +
# Search for Host Port Scan
 +
# Double-click on the Host Port Scan protection
 +
# Double-click on the relevant IPS profile (that is assigned to the involved Security Gateway)
 +
# Select Override IPS Policy with - select Detect
 +
# In the Track field, select User Defined Alert no. 1
 +
# Set the desired Detection Sensitivity
 +
# Click on OK to apply the changes and return to SmartDashboard main window
  
B. Search for Host Port Scan
 
 
C. Double-click on the Host Port Scan protection
 
 
D. Double-click on the relevant IPS profile (that is assigned to the involved Security Gateway)
 
 
E. Select Override IPS Policy with - select Detect
 
 
F. In the Track field, select User Defined Alert no. 1
 
 
G. Set the desired Detection Sensitivity
 
 
H. Click on OK to apply the changes and return to SmartDashboard main window
 
  
 
And now configure an automatic SAM rule to close the port scanning connections:
 
And now configure an automatic SAM rule to close the port scanning connections:
  
A. In SmartDashboard, go to Policy menu - click on Global Properties...
+
# In SmartDashboard, go to Policy menu - click on Global Properties...
 
+
# Expand Log and Alerts - click on Alerts
B. Expand Log and Alerts - click on Alerts
+
# Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)
 
+
# Add an automatic SAM rule:
C. Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)
+
 
+
D. Add an automatic SAM rule:
+
  
 
  sam_alert -t 3600 -I -src
 
  sam_alert -t 3600 -I -src

Latest revision as of 20:52, 18 July 2017

Back to Gaia

The same way you can configure a rule to log, alert by mail, you can set an IPS rule to run some command. For example, block the offender (dynamic blacklist).

This will set an automatic rule (for all Security Gateways managed by this Security Management Server) with the Source IP address of the host that caused a hit on the IPS protection during 1 hour

In summary, set this action:

Run UserDefined script: sam_alert -t 3600 -I -src

Steps:

  1. In SmartDashboard, go to IPS tab - click on Protections
  2. Search for Host Port Scan
  3. Double-click on the Host Port Scan protection
  4. Double-click on the relevant IPS profile (that is assigned to the involved Security Gateway)
  5. Select Override IPS Policy with - select Detect
  6. In the Track field, select User Defined Alert no. 1
  7. Set the desired Detection Sensitivity
  8. Click on OK to apply the changes and return to SmartDashboard main window


And now configure an automatic SAM rule to close the port scanning connections:

  1. In SmartDashboard, go to Policy menu - click on Global Properties...
  2. Expand Log and Alerts - click on Alerts
  3. Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)
  4. Add an automatic SAM rule:
sam_alert -t 3600 -I -src