Intrusion Prevention System (IPS)

Overview

In addition to the Contextual Machine-Learning based engine, CloudGuard WAF provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). The signatures arrive automatically to agents/gateways as soon as Check Point Security Research team releases them. One specific benefit of these signatures is the ability to see logs that indicate a specific CVE number.

How to set up Intrusion Prevention

When defining a new Web Application / API asset to protect, IPS was already defined to enforce its security as part of step 3 of the wizard. However - a security administrator may choose to fine tune the default behavior of the IPS engine.

Step 1: Browse to Policy->Assets and edit the Web Application / API asset

Once the asset edit window opens, select the Web Attacks tab and scroll to the Intrusion Prevention sub-practice.

Step 2: Edit the settings of the Intrusion Prevention sub-practice

The settings allow:

• Changing which protections will be active according to their:

  • Performance Impact

  • Severity

  • Year of the CVE they protect against

• Changing the exact behavior upon detection of signature according to its confidence level (Prevent/Detect/Inactive, or, According to Practice when there is no unique behavior to the group of protections)

When making the first change to the default Web Application/API Best Practice's configuration such as making changes to the default configuration of the IPS engine settings, you will be prompted to change the name of the Practice to your own custom practice name

Step 4: Make sure the Mode of the Intrusion Prevention sub-practice is as desired

Setting the Mode to As Top Level means inheriting the primary mode of the practice.

Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.

You can also set up a specific action per confidence level of the the protection that caught the attack. According to Practice mode means the sub-practice's mode determines the action. But you can set up Detect/Prevent/Disable specifically for that group of protections per confidence level. For example - the default configuration of the IPS sub-practice configures that Low confidence protections will be set to "Detect" mode, unrelated to the general IPS mode.

Step 5: Enforce Policy

Click Enforce on the top banner of the Infinity Portal.