8/3/2019 CP_R65.1_IPS-1_AdminGuide
1/186
IPS-1
Administration Guide
Version NGX R65.1
March 8, 2009
8/3/2019 CP_R65.1_IPS-1_AdminGuide
2/186
8/3/2019 CP_R65.1_IPS-1_AdminGuide
3/186
2003-2009 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior writtenauthorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors oromissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks
For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
http://www.checkpoint.com/copyright.htmlhttp://www.checkpoint.com/3rd_party_copyright.htmlhttp://www.checkpoint.com/3rd_party_copyright.htmlhttp://www.checkpoint.com/copyright.html8/3/2019 CP_R65.1_IPS-1_AdminGuide
4/186
8/3/2019 CP_R65.1_IPS-1_AdminGuide
5/186
Table of Contents 5
Contents
Preface About this Guide.............................................................................................. 10Who Should Use This Guide.............................................................................. 11
Summary of Contents ....................................................................................... 12
Related Documentation .................................................................................... 13
More Information ............................................................................................. 14
Feedback ........................................................................................................ 15
Chapter 1 IPS-1 OverviewIPS-1 Key Benefits .......................................................................................... 18
IPS-1 System Architecture................................................................................ 19
IPS-1 Deployment............................................................................................ 21
Working in the IPS-1 Management Dashboard .................................................... 22
Logging into the IPS-1 Management Server with the IPS-1 Dashboard ............. 22
Navigating the IPS-1 Management Dashboard Windows.................................. 23
The IPS-1 Management Dashboard Menus .................................................... 24
The IPS-1 Management Dashboard Toolbar ................................................... 25
Chapter 2 Managing the IPS-1 SystemOverview ......................................................................................................... 28
System Messages............................................................................................. 28
Installing Policies ............................................................................................ 29
Adding an Alerts Concentrator to the System ...................................................... 31
Adding an IPS-1 Sensor to the Management Server............................................. 33
User Accounts ................................................................................................. 35
User Accounts Overview .............................................................................. 35
Managing User Accounts ............................................................................. 35
Changing the Password................................................................................ 36
Unlocking a User Account ........................................................................... 36
Licensing ........................................................................................................ 38
Overview .................................................................................................... 38
Viewing License Summary ........................................................................... 38
Adding a License ........................................................................................ 39Maintaining Database Size................................................................................ 41
Space Management Overview ....................................................................... 41
Configuring Space Management ................................................................... 42
Reclaiming Database Space......................................................................... 43
Alerts Concentrator High Availability.................................................................. 45
Managing the IPS-1 Sensor .............................................................................. 47
Connecting to the IPS-1 Sensor.................................................................... 47
IPS-1 Sensor Modes.................................................................................... 47
Configuring Other Sensor Definitions ............................................................ 50Shutting Down or Restarting the IPS-1 Sensor............................................... 52
8/3/2019 CP_R65.1_IPS-1_AdminGuide
6/186
8/3/2019 CP_R65.1_IPS-1_AdminGuide
7/186
Table of Contents 7
Overview .................................................................................................. 140
Creating an Activity Level Graph................................................................. 140
Creating Pick Graphs................................................................................. 142
Creating a Top n Graph.............................................................................. 144
Saving Graphs .......................................................................................... 146
Printing a Graph ....................................................................................... 146
Customizing Alerts ......................................................................................... 147
Overview .................................................................................................. 147
Configuring Actions................................................................................... 147
Applying Actions to Alerts.......................................................................... 150
Changing an Alerts Displayed Priority......................................................... 151
Chapter 5 Vulnerability Detection and DefenseOverview ....................................................................................................... 154
Installing Network Vulnerability Data, and Dynamic Shielding ............................ 155
Viewing Vulnerabilities ................................................................................... 156
Investigating Vulnerabilities with the Distribution Graph .................................... 159
Distribution Graph Overview....................................................................... 159
Configuring the Distribution Graph ............................................................. 159
Investigation Examples.............................................................................. 160
Viewing Compromise Risk in the Alert Browser.................................................. 162Disabling Vulnerability Correlation ................................................................... 163
Chapter 6 Data Analysis with External ToolsOverview ....................................................................................................... 166
Setting up Reports ......................................................................................... 167
Creating an ODBC Data Source .................................................................. 167
Generating a Report ....................................................................................... 169
Report Template List...................................................................................... 173Integration with Eventia Analyzer..................................................................... 175
Introduction ............................................................................................. 175
Integrating with Eventia Analyzer................................................................ 175
Chapter 7 Backup and MigrationOverview ....................................................................................................... 180
Exporting IPS-1 Management Server Data ........................................................ 181
Exporting Data using the Dashboard ........................................................... 182Exporting Data using the Command Line..................................................... 182
Migrating Data using the Command Line..................................................... 184
Importing IPS-1 Management Server Data........................................................ 185
8/3/2019 CP_R65.1_IPS-1_AdminGuide
8/186
8
8/3/2019 CP_R65.1_IPS-1_AdminGuide
9/186
9
Preface PPreface
In This Chapter
About this Guide page 10
Who Should Use This Guide page 11
Summary of Contents page 12
Related Documentation page 13
More Information page 14Feedback page 15
8/3/2019 CP_R65.1_IPS-1_AdminGuide
10/186
About this Guide
10
About this GuideThe IPS-1 Administration Guide is a guide to configuring and using the IPS-1
system.
For deployment, installation and initial configuration instructions, see the Check
Point Installation and Upgrade Guide.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
11/186
Who Should Use This Guide
Preface 11
Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of:
System and network administration
Server operating systems
8/3/2019 CP_R65.1_IPS-1_AdminGuide
12/186
Summary of Contents
12
Summary of ContentsThis guide contains the following chapters:
Chapter Description
Chapter 1, IPS-1 Overview This chapter discusses IPS-1 deployment
components and an introduction to the IPS-1
Management Dashboard.
Chapter 2, Managing the
IPS-1 System
This chapter discusses configuration tasks, user
accounts, licensing, database maintenance, andsystem administration.
Chapter 3, Managing Attack
Detection and Prevention
This chapter discusses updating attack
signatures and managing protections.
Chapter 4, Alert Monitoring
and Analysis
This chapter discusses the IPS-1 Management
Dashboard windows and tools for alert
monitoring and analysis.
Chapter 5, VulnerabilityDetection and Defense
This chapter discusses network vulnerabilitydetection and analysis.
Chapter 6, Data Analysis
with External Tools
This chapter discusses creating reports with
Crystal Reports 11 from Business Objects.
Chapter 7, Backup and
Migration
This chapter discusses IPS-1 Management
Server data backup and migration.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
13/186
8/3/2019 CP_R65.1_IPS-1_AdminGuide
14/186
More Information
14
More Information For additional technical information about Check Point products, consult
Check Points SecureKnowledge at http://support.checkpoint.com.
To view the latest version of this document in the Check Point User Center, go
to: http://support.checkpoint.com.
http://support.checkpoint.com./http://support.checkpoint.com./http://support.checkpoint.com./http://support.checkpoint.com./8/3/2019 CP_R65.1_IPS-1_AdminGuide
15/186
Feedback
Preface 15
FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:
mailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback8/3/2019 CP_R65.1_IPS-1_AdminGuide
16/186
Feedback
16
8/3/2019 CP_R65.1_IPS-1_AdminGuide
17/186
17
Chapter 1
IPS-1 OverviewIn This Chapter
IPS-1 Key Benefits page 18
IPS-1 System Architecture page 19
IPS-1 Deployment page 21
Working in the IPS-1 Management Dashboard page 22
8/3/2019 CP_R65.1_IPS-1_AdminGuide
18/186
IPS-1 Key Benefits
18
IPS-1 Key BenefitsThe IPS-1 Intrusion Prevention System provides accurate, high performance
protection against known and unknown attacks. You can customize its features tosuit your organization's particular needs. IPS-1 offers many benefits:
Trusted Intrusion Prevention
Smart intrusion detection
Customizable intrusion prevention
Customizable Confidence Indexing
Customizable attack signatures
Automatic attack signature updates
IPS Simplified
Quick deployment
Flexible deployment modes
Minimal-impact design
Centralized, scalable management
Customizable desktop GUI with real-time information and management
Dynamic Shielding
Presents network intelligence including OS and application information, CVE
vulnerabilities, and impact and remediation details.
Determines anomalous behavior, reduces false positives and recognizes and
dynamically shields vulnerable hosts against inevitable attacks.
IPS 1 S t A hit t
8/3/2019 CP_R65.1_IPS-1_AdminGuide
19/186
IPS-1 System Architecture
Chapter 1 IPS-1 Overview 19
IPS-1 System ArchitectureAn IPS-1 deployment includes the following components:
IPS-1 Sensor: Detects and prevents internal network attacks, and sends alerts
to the Alerts Concentrator.
Alerts Concentrator: Manages and receives alerts from a group of Sensors, and
stores the alerts in a MySQL database (included in the Alerts Concentrator
installation). Multiple IPS-1 Alerts Concentrators can be distributed throughout
the network as needed.
IPS-1 Management Server: The central management server for the entiredeployment. Receives and correlates relevant alert information from the Alerts
Concentrator(s). Alert information is stored in a MySQL database, which is
included in the IPS-1 Management Server installation.
IPS-1Management Dashboard: Windows-based remote graphical user interface
(GUI) to the IPS-1 Management Server, for managing the IPS-1 system and for
monitoring alerts. The IPS-1 Management Dashboard includes a number of
independent interlinked windows, primarily: Policy Manager for configuring protections and managing the entire IPS-1
system.
Alert Browser for viewing, tracking, and analyzing real-time alerts.
There are two deployment configurations for IPS-1:
Combined Deployment - An Alerts Concentrator is installed together with the
IPS-1 Management Server on the same computer. For this type of deployment,select IPS-1 Management Server (all components) during the installation.
Distributed Deployment - The IPS-1 Management Server connects to one or
more Alerts Concentrators installed on separate computers. For this type of
deployment, select IPS-1 Management Server (without AlertsConcentrator) during the installation.
The installation steps for each deployment configuration are found in the InitialConfiguration of Management Serverssection of the Check Point Installation and
Upgrade Guide Version R70.
IPS 1 System Architecture
8/3/2019 CP_R65.1_IPS-1_AdminGuide
20/186
IPS-1 System Architecture
20
The following diagram illustrates the components of the IPS-1 system architecture
with two Alerts Concentrators in a Distributed Deployment:
Figure 1-1 The IPS-1 System
IPS-1 Deployment
8/3/2019 CP_R65.1_IPS-1_AdminGuide
21/186
IPS 1 Deployment
Chapter 1 IPS-1 Overview 21
IPS-1 DeploymentFor considerations for placement and topology of IPS-1 Sensors and of
management components, and for information on setting up the deployment, seethe Check Point Installation and Upgrade Guide.
For information on subsequent configuration of the various IPS-1 system
components, see in this document: Managing the IPS-1 System on page 27.
Working in the IPS-1 Management Dashboard
8/3/2019 CP_R65.1_IPS-1_AdminGuide
22/186
Working in the IPS 1 Management Dashboard
22
Working in the IPS-1 ManagementDashboard
Logging into the IPS-1 Management Server with
the IPS-1 Dashboard
To log into the IPS-1 Management Server with the IPS-1 Management Dashboard:
1. Use the following command to verify that the IPS-1 Server (or Alerts
Concentrator) processes are running:a. On SecurePlatform, enter expert mode by typing expert and pressing enter.
On other operating systems, login as root.
b. Run:
/etc/init.d/ips1 start
2. On the client computer, start the IPS-1 Management Dashboard. A login
window appears:
3. Type your username and password, and specify the IPS-1 Servers IP address or
resolvable hostname. By default, port number is 8443.
Logging into the IPS-1 Management Server with the IPS-1 Dashboard
page 22
Navigating the IPS-1 Management Dashboard Windows page 23
The IPS-1 Management Dashboard Menus page 24
The IPS-1 Management Dashboard Toolbar page 25
Navigating the IPS-1 Management Dashboard Windows
8/3/2019 CP_R65.1_IPS-1_AdminGuide
23/186
g g g
Chapter 1 IPS-1 Overview 23
4. If you are trying to connect to the IPS-1 Server through a proxy server, expand
the login window by clicking More Options and check Use Proxy. Type the proxy
servers connection and authentication information. Note that for Digest Proxy
only HTTP is supported, not HTTPS.
Navigating the IPS-1 Management DashboardWindows
IPS-1 Management Dashboard windows can be accessed by clicking one of the
icons in the upper-right corner of the Management Dashboard. The windows can
also be accessed from the File and Management menus.
The IPS-1 Management Dashboard includes the following main windows:
Policy Manager: System, protection, and alert management.
To access Policy Manager from any other IPS-1 Management Dashboard
window, from the Management menu, select Policy.
Some parts of Policy Manager (especially in the System Settings tab) appear
only when Advanced Settings are enabled. To enable Advanced Settings, from
Policy Managers Policy Manager menu, point to Advanced, and select Show
Advanced Settings.Details of the tasks performed in Policy Manager can be found in Managing
the IPS-1 System on page 27, in Managing Attack Detection and Prevention
on page 65, and in other chapters.
Alert Browser, and other windows for alert monitoring and analysis.
Any of the alert monitoring and analysis windows can be accessed from the File
menu or toolbar of any IPS-1 Management Dashboard window.These windows are highly user-configurable. Details of the tasks performed in
these windows can be found in Alert Monitoring and Analysis on page 107,
and in other chapters.
Vulnerability Browser: Network risk assessment and analysis. The Vulnerability
Browser can be accessed from the File menu of any IPS-1 Management
Dashboard window, or from the Alert Browser toolbar. For details, see
Vulnerability Detection and Defense on page 153.
Note - The default username is admin.
When upgrading from a previous version of IPS-1, login with the pre-existing usernames.
The default username for prior versions of IPS-1 is nfr.
The IPS-1 Management Dashboard Menus
8/3/2019 CP_R65.1_IPS-1_AdminGuide
24/186
24
The IPS-1 Management Dashboard Menus
The menus for all main Dashboard windows are the same, except for the third
menu, which bears the same name as the window. For example, Policy ManagersPolicy Manager menu contains commands unique to Policy Manager.
The File menu contains the following commands:
Commands for launching new windows:
New Alert Browser
New History Browser
New Timeline
New Graph
New Vulnerability Browser
Commands for managing window views:
Open View
Delete View
Save View
Save View As
Window views include all customization settings, and are saved on the
IPS-1 Management Server. For details, see Saving Customized Views on
page 124.
Close: Closes the current window.
Exit Application: Closes all IPS-1 Management Dashboard windows.
The Tools menu contains the following commands:
System Status: Displays in a single window the activity and communication
status of the Alerts Concentrators and Sensors. For details, see System
Status in the IPS-1 Management Dashboard on page 58. User Preferences: Settings for using Reverse DNS lookup to display
hostnames in Alert Details and for viewing packet captures in a third-party
application. For details, see Viewing Alert Details on page 127 and
Packet Capture and Viewing on page 129.
Change Password: Enables a user to change his password. For details, see
Changing the Password on page 36.
The IPS-1 Management Dashboard Toolbar
8/3/2019 CP_R65.1_IPS-1_AdminGuide
25/186
Chapter 1 IPS-1 Overview 25
The context-dependent menu contains commands relevant to each specific
window, such as Alert Browser, History Browser, Policy Manager etc., and
changes name according to the window which is open.
The Windows menu contains a listing of the open IPS-1 windows. This menudoes not appear in the Alert Browser which is opened after the initial login.
The Management menu contains the following commands:
Correlators: Opens the Correlators window. Correlators generate alerts based
on other alerts, from multiple connections and accross all IPS-1 Sensors.
For details, see System-Wide Attack Correlation on page 89.
Users: Manage user accounts. For details, see User Accounts on page 35.
Policy: Opens Policy Manager.
Space Management: Opens the Space Management window, for maintaining
database size. For details, see Maintaining Database Size on page 41.
The About menu contains the About command: Displays IPS-1 Management
Dashboard information.
The IPS-1 Management Dashboard Toolbar
On the left end of the toolbar, the Alert Browser and History Browser windows have
buttons unique to the Alert Browser and History Browser. For details on these
buttons, see Toolbar Buttons on page 112.
On the right end of the toolbar, all the main Management Dashboard windows have
the same buttons. These are:
Table 1-1
Opens an Alert Browser window. See The Alert Browser and History
Browser on page 109.
Allows you to view alert activity in graph form. See Creating Alert
Graphs on page 140.
Plots alert activity on timelines. See The Timeline Window on
page 134.
The IPS-1 Management Dashboard Toolbar
8/3/2019 CP_R65.1_IPS-1_AdminGuide
26/186
26
Opens the Vulnerability Browser. See Vulnerability Detection and
Defense on page 153.
Opens Policy Manager.
Displays the status of all IPS-1 Alerts Concentrators and IPS-1
Sensors. See System Status in the IPS-1 Management Dashboard on
page 58.
Table 1-1
8/3/2019 CP_R65.1_IPS-1_AdminGuide
27/186
27
Chapter 2
Managing the IPS-1 SystemIn This Chapter
Overview page 28
System Messages page 28
Installing Policies page 29
Adding an Alerts Concentrator to the System page 31
Adding an IPS-1 Sensor to the Management Server page 33
User Accounts page 35
Licensing page 38
Maintaining Database Size page 41
Alerts Concentrator High Availability page 45
Managing the IPS-1 Sensor page 47
Starting and Stopping the IPS-1 Servers page 56
Uninstalling the IPS-1 Servers page 57
Viewing System Status Information page 58
Overview
8/3/2019 CP_R65.1_IPS-1_AdminGuide
28/186
28
OverviewThis chapter describes configuration of an already installed and initially configured
IPS-1 system. For information on installing and initially configuring the IPS-1system, see the Check Point Installation and Upgrade Guide.
System Messages
IPS-1 System Messages report required and recommended management tasks. Toview the System Messages:
1. Open the Policy Manager.
2. Select the System Settings tab.
3. In the left-hand navigation tree, select System Messages.
Installing Policies
8/3/2019 CP_R65.1_IPS-1_AdminGuide
29/186
Chapter 2 Managing the IPS-1 System 29
Installing PoliciesMany of the management tasks in this chapter and the protection management
tasks in the next chapter, are performed in Policy Manager. In general, changesmade in Policy Manager are not saved to the IPS-1 Management Server or
transmitted to other IPS-1 system components until you Install Policy.
To Install a Policy:
1. In Policy Manager, from the File menu, select Install Policy. Or, click Install
Policy:
Installing Policies
8/3/2019 CP_R65.1_IPS-1_AdminGuide
30/186
30
The Install Policy window appears:
2. Select the Alerts Concentrator(s).
3. In most cases, select (on the bottom of the window) Install Policy on Sensors,
and (in the upper part of the window) select all Sensors. The "Install Policy on
Sensors" checkbox will be automatically selected when changes have been
made that require the Sensors to be updated.
4. Click OK.
Policy Manager changes to read-only while Policy is installed.
Note - If you leave any Alerts Concentrators or Sensors not selected, they will be excludedfrom subsequent automatic attack signature updates.
Adding an Alerts Concentrator to the System
8/3/2019 CP_R65.1_IPS-1_AdminGuide
31/186
Chapter 2 Managing the IPS-1 System 31
Adding an Alerts Concentrator to the SystemTo add an Alerts Concentrator to the IPS-1 System, first install and set up the
Alerts Concentrator. For details, see the Check Point Installation and Upgrade Guide.
To then add the Alerts Concentrator to the IPS-1 system, in Policy Managers
Sensors and Concentrators tab, right-click in the left-hand navigation tree, and
select New Alerts Concentrator:
The New Alerts Concentrator window appears:
Adding an Alerts Concentrator to the System
8/3/2019 CP_R65.1_IPS-1_AdminGuide
32/186
32
Configure the Alerts Concentrator settings as follows:
1. In the Host field, type the Alerts Concentrators IP address or resolvable
hostname.
2. Type and confirm the activation key that you specified during the Alerts
Concentrator installation.
To reset the Activation Key on the Alerts Concentrator:
a. Log in to the Alerts Concentrator
b. Switch to the ips1 user using the su - ips1 command. In SecurePlatform,this must be done from expert mode.
c. Run the set_activation_key command to set the activation key.
3. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator,
select Use Proxy and type the proxys connection and authenticationinformation.
4. Make sure Receive Alerts is On.
5. If this Alerts Concentrator or the IPS-1 Servers communication with it might be
slower than others, select Avoid this server for help text. When an Alert Browser
user right-clicks an alert and selects Alert Details, the IPS-1 Server first
attempts to retrieve the Help Text from another Alerts Concentrator.
6. Click OK.
The Alerts Concentrator is added.
Note - Entering the Alert Concentrators IP address is preferred to
better protect against DNS spoofing.
Adding an IPS-1 Sensor to the Management Server
8/3/2019 CP_R65.1_IPS-1_AdminGuide
33/186
Chapter 2 Managing the IPS-1 System 33
Adding an IPS-1 Sensor to the ManagementServer
Before adding an IPS-1 Sensor to the IPS-1 Managment Server, the Sensor mustfirst be installed and configured as described in the Check Point Installation and
Upgrade Guide.
In Policy Manager, add the Sensor to the IPS-1 system, as follows:
1. In Policy Managers Sensors and Concentrators tab, select the Alerts
Concentrator to which you are adding the new Sensor and click New Sensor.
The Add New Sensor window appears:
2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next.
3. Type the Sensors IP address or resolvable Hostname.
4. Type and confirm the Activation Key, as defined during Sensor installation or in
the Sensors Management Menu.
To reset the Activation key on an IPS-1 Sensor, run the cpconfig command. To
reset the Activation key on an IPS-1 Power Sensor, log in as the nfr user.
Adding an IPS-1 Sensor to the Management Server
8/3/2019 CP_R65.1_IPS-1_AdminGuide
34/186
34
5. Click Next.
6. Select the Local Network Addresses that you want the IPS-1 Sensor to protect
from the list of Recently Used Values and use the arrow buttons in the middle of
the window to add, remove or change the order of the addresses in list ofSelected Host Types.
If your network does not appear in the Recently Used Values list, type the
network address and netmask information into the field at the bottom of the
window and press enter.
When all of your network addresses are listed in the Selected Host Types, click
Next.
7. Select the Local Broadcast Addresses for the protected networks from the
Recently Used Values and use the arrow buttons in the middle of the window to
add or remove addresses from the list of Selected Host Types.
If your broadcast address does not appear in the Recently Used Values list, type
the broadcast address into the field at the bottom of the window and press
enter.
When all of your broadcast addresses are listed in the Selected Host Types, clickNext.
8. Click New to assign descriptive names to your interfaces.
The Edit Interface Description window appears:
Enter the raw interface name as it is listed in the Sensor, and enter the
descriptive name that you want to assign to that interface. Click OK.
9. Once you have finished modifying the names of the interfaces, press Finish to
add the new Sensor to the Alerts Concentrator.
10. To apply the changes, click Install Policy.
User Accounts
U A t
8/3/2019 CP_R65.1_IPS-1_AdminGuide
35/186
Chapter 2 Managing the IPS-1 System 35
User Accounts
In This Section
User Accounts Overview
Two kinds of users, with different permission levels, can log into the IPS-1
Management Server with the IPS-1 Management Dashboard, and use or manage the
IPS-1 system:
Administrator - full permissions.
Normal - specific, configurable permissions. These permissions are definedduring the creation of the user account or subsequently by editing the user
account.
One Administrator account is defined during IPS-1 Management Server installation.
Additional users of both kinds can be added from the IPS-1 Management
Dashboard.
User accounts can be created and managed by Administrators, or by Normal Users
who have been given the Edit User permission. The Edit User permission can be
limited to managing specific users. A user can never give permissions greater than
his own.
Managing User Accounts
To create or edit a user account:
1. From the Alert Browsers or Policy Managers Management menu, select Users.
User Accounts Overview page 35
Managing User Accounts page 35
Changing the Password page 36
Unlocking a User Account page 36
Note - Sensors for which a Normal user does not have permissions will not appear in Policy
Manager, the Alert Browser, Timeline windows, System Status, etc. However, the graphs
window (which displays raw counts of alerts) may still include counts of alerts from these
IPS-1 Sensors. Also, these application-level settings are irrelevant to any third-party toolwhich directly accesses the database, such as Crystal Reports.
Changing the Password
The Manage Users window appears
8/3/2019 CP_R65.1_IPS-1_AdminGuide
36/186
36
The Manage Users window appears:
2. Click New, or select an existing user and click Edit.
3. Type or verify the User Information, including:
The number of Connect Retries before a user submitting invalid
authentication information is locked out.
The user Role - Administrator or Normal (see above).
4. For a Normal user account, configure the User Permissions. Scroll over the rows
to see descriptions below.
5. Click OK.
The user account is configured.
The user can now change his password, as explained in the following section.
Changing the Password
After a user account is created, the user can change his password as follows:
1. From the Tools menu, select Change Password.
2. Type the current password, and type and confirm a new password.3. Click OK.
Unlocking a User Account
If a user submits invalid authentication information more than the number of
Connect Retries defined for his user account, he will be locked out. The account
can be unlocked in one of two ways:
Unlocking a User Account
An Administrator can unlock the locked users account as follows:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
37/186
Chapter 2 Managing the IPS-1 System 37
An Administrator can unlock the locked user s account, as follows:
1. From the Alert Browsers or Policy Managers Management menu, select
Users.
The Manage Users window appears.
2. Select the locked out user account, and Click Unlock Account.
If a sole Administrators account is locked out, the account must be unlocked
directly from the IPS-1 Management Servers command line, as follows:
1. Run:
cd /opt/CPips1-R65/ips1server/binset_ips1_passwd.sh
where is the user name of the account to be unlocked.
2. Type and confirm a new password.
Licensing
Licensing
8/3/2019 CP_R65.1_IPS-1_AdminGuide
38/186
38
Licensing
In This Section
Overview
The IPS-1 system requires three types of licenses, all of which can be obtained
from Check Points User Center:
An IPS-1 Management Server license to manage a specified maximum number
of IPS-1 Sensors. This license automatically licenses an Alerts Concentrator in
a Combined installation. Separate Alerts Concentrators are not included.
An Alerts Concentrator license for Alerts Concentrators not combined with the
IPS-1 Management Server.
IPS-1 Sensor licenses for each IPS-1 Sensor of a specified Sensor type.
Sensor types are defined for licensing purposes according to hardware model
numbers of Check Point preinstalled appliances. Note that adding Sensors to a
system, besides requiring additional Sensor licenses, may affect the required
type of IPS-1 Management Server license.
All three kinds of licenses are stored on the IPS-1 Management Server and must be
generated specifically for the IPS-1 Management Servers IP address.
The IPS-1 Management Dashboard does not require a license. However, without a
licensed IPS-1 Management Server, the IPS-1 Management Dashboard will function
only in Demo mode.
Viewing License SummaryTo view a summary of existing and missing licenses in an IPS-1 system:
1. From Policy Managers Policy Manager menu, select Licenses.
Overview page 38
Viewing License Summary page 38
Adding a License page 39
Adding a License
2. In the left-hand license list, select Licenses.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
39/186
Chapter 2 Managing the IPS-1 System 39
2. In the left hand license list, select Licenses.
Adding a License
To access the License Manager, from Policy Managers Policy Manager menu, select
Licenses.
The License Manager appears:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
40/186
Maintaining Database Size
Maintaining Database Size
8/3/2019 CP_R65.1_IPS-1_AdminGuide
41/186
Chapter 2 Managing the IPS-1 System 41
Maintaining Database SizeThe IPS-1 Management Server and Alerts Concentrators store and accumulate large
quantities of alert data in MySQL databases. To maintain performance, the
database must be efficiently configured and maintained.
In This Section
Space Management Overview
The IPS-1 Management Server and Alerts Concentrator databases holds event and
alert data generated by IPS-1. As with any system, the amount of space available
for data storage is limited. The Space Management tool enables maintaining as
much useful information as possible without exceeding disk storage limits.
For a rough estimate of appropriate database size, multiply the volume of
monitored traffic (in Gbps) by the number of months of alerts you plan to maintain.
The database size (in GB) should approach half of that product.
For example, if the Sensors that send alerts to a particular Alerts Concentrator
collectively monitor 5Gbps, and you want to maintain six months of back alerts, the
database should be 12-15 GB. However, appropriate database size is alsodependent on other factors, such as fine-tuning protections for your system to
minimize false positives.
The Space Management tool periodically checks the used space in the database.
When the used space exceeds a configurable Action Limit, Space Management
begins deleting the oldest packet capture data and alert records. Space
Management then continues deleting until the used space drops below a
configurable Clearance Limit.
Space Management Overview page 41
Configuring Space Management page 42
Reclaiming Database Space page 43
Note - As Space Management deletes data, it will attempt to retain all packet capture data.
Thus, it will delete packet capture data in proportion to the number of alert records in the
database.
Configuring Space Management
Configuring Space Management
8/3/2019 CP_R65.1_IPS-1_AdminGuide
42/186
42
g g p g
To configure Space Management:
1. From any IPS-1 Management Dashboard windows Management menu, selectSpace Management.
2. The Space Management window appears with a tab for the IPS-1 Management
Server and for each Alerts Concentrator:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
43/186
Reclaiming Database Space
You can use the space recovery script to recover available database space for an
IPS 1 Alerts Concentrator and return it to the operating system for other uses
8/3/2019 CP_R65.1_IPS-1_AdminGuide
44/186
44
IPS-1 Alerts Concentrator and return it to the operating system for other uses.
Optionally, this script can also perform extensive checks and fixes and optimize
indexes.
To enable periodic execution during specified windows, you can execute the script
as a cron job.
To run the Space Recovery script:
1. Log in to the Alerts Concentrator host as the ips1 user (run: su - ips1).
2. From $IPS1DIR/alcr, run the following:
sdb-optimize.sh [-h] [-e]
The options are:
Warning - Run this script only if there is a large amount of free space that must be
recovered. When this script is run on an IPS-1 Alerts Concentrator, it may take several hours
to complete. The script shuts down the IPS-1 Alerts Concentrator (and, in a Combined
installation, the IPS-1 Management Server) while it runs, which means that the IPS-1
system will be inoperative during this period (except in a non-Combined installation withAlerts Concentrator High Availability). IPS-1 Sensors will continue to function and to buffer
alerts until the server is back online, but alerts will not be visible on the IPS-1 Management
Dashboard until the Alerts Concentrator is back online.
Note - There must be enough free space for the script to make a copy of the largest
database table - it skips any tables that are too big to copy.
Table 2-1
-h Provides detailed help text.
-e Performs a check for database errors and attempts to recover the data.
Note - The -e option lengthens the time the script takes to run.
Note - Alerts and events will not be written to the database while these scripts are executing.
Except with Alerts Concentrator High Availability, alerts will be queued on the Sensors until
the Alerts Concentrator is back online.
Alerts Concentrator High Availability
Alerts Concentrator High Availability
8/3/2019 CP_R65.1_IPS-1_AdminGuide
45/186
Chapter 2 Managing the IPS-1 System 45
g yTo ensure continuity of information flow from IPS-1 Sensors to the IPS-1
Management Server in the event of an IPS-1 Alerts Concentrator failure, you can
configure an IPS-1 Sensor to report to a backup IPS-1 Alerts Concentrator. This
automatically redirects alerts and packet capture data to the backup Alerts
Concentrator if the primary Alerts Concentrator or the Sensors connection with it
fails. You can deploy the backup Alerts Concentrator in the same network as the
primary Alerts Concentrator.
If the primary Alerts Concentrator fails, the backup Alerts Concentrator becomes
active. Once a Sensor fails over to a backup Alerts Concentrator, it continues
communicating with that Alerts Concentrator until: 1) the backup Alerts
Concentrator fails; 2) the Sensor receives a quick restart command (includes
receiving a policy push); 3) the Sensor is rebooted. The Sensor then attempts to
communicate with the primary Alerts Concentrator.
The failover process is independent for each Sensor; in certain situations (such as
a network interruption) some Sensors from Group A in the illustration could be
communicating with Alerts Concentrator A and others with Alerts Concentrator B.
As shown in the following diagram, you can designate some IPS-1 Sensors active
Alerts Concentrator as the backup Alerts Concentrator for other Sensors.
Figure 2-1 Alerts Concentrator High Availability
The Sensors in group A send alert data to Alerts Concentrator A, and only in case
of Alert Concentrator As failure, to Alerts Concentrator B. The Sensors in group B
send alert data to Alerts Concentrator B, and only in case of Alert Concentrator Bs
failure, to Alerts Concentrator A.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
46/186
Managing the IPS-1 Sensor
Managing the IPS-1 Sensor
8/3/2019 CP_R65.1_IPS-1_AdminGuide
47/186
Chapter 2 Managing the IPS-1 System 47
In This Section
Connecting to the IPS-1 Sensor
You can run commands on the IPS-1 Sensor in one of three ways, depending on
hardware configuration:
A connected keyboard and monitor. A serial console (DTE to DTE), using terminal emulation software such as
HyperTerminal (from Windows) or Minicom (from Unix/Linux systems).
Connection parameters for Check Point appliances are:
For a regular (non-Power) IPS-1 Sensor appliance: 9600bps, no parity, 1
stop bit (8N1).
For an IPS-1 Power Sensor: 115200bps, 8 bit, no parity, 1 stop bit, no
hardware or software (xon/xoff) flow control
For third-party hardware connection parameters, see the third-party
documentation.
An SSH connection to the Sensors management interface (if sshd is
configured).
IPS-1 Sensor Modes
In This Section
Connecting to the IPS-1 Sensor page 47
IPS-1 Sensor Modes page 47
Configuring Other Sensor Definitions page 50
Shutting Down or Restarting the IPS-1 Sensor page 52
Deleting Backlogged Sensor Data page 53
Resolving IPS-1 Sensor Communications Issues page 53
Sensor Modes Overview page 48
Changing the Sensor Mode (Software) page 49
Changing the Sensor Mode (Hardware) page 49
IPS-1 Sensor Modes
Sensor Modes Overview
I IPS 1 S h ld b l d i li h ll f h ffi
8/3/2019 CP_R65.1_IPS-1_AdminGuide
48/186
48
In most cases, IPS-1 Sensors should be placed inline, so that all of the traffic to
be monitored flows through the IPS-1 Sensor. This enables intrusion prevention. In
this configuration, Sensors can drop traffic detected as an attack, according todefined and configurable confidence indexing.
In some cases, such as in a complex switching environment in a network core,
Sensors may need to be placed in passive mode, in which case they perform
intrusion detection only.
Inline Sensors behavior upon failure can be configured to either open, passing
through all traffic; or closed, severing the traffic path.Inline Sensors can be set to Monitor-Only (bridge) mode, to avoid the possibility of
blocking valid traffic. In bridge mode, you can track what the Sensor would have
done in prevention mode. You can fine-tune your prevention settings in bridge
mode, and later change to prevention mode.
The IPS-1 Sensor is configured for one of four different modes:
IDS (passive): intrusion detection (IDS) with no prevention. In this mode, everyinterface other than the management interface can be used for monitoring.
IPS Monitor-Only (inline, fail-open): inline mode without actual prevention.
Packets are returned to the network before processing for attack detection. In
fault conditions, all packets continue to be passed through.
You can use this mode to see which traffic would have been dropped in the
other IPS modes, making Monitor-Only mode useful during a system-tuning
period before switching to actual intrusion prevention. See Avoiding FalsePositives on page 73 for details.
Monitor-Only mode is also useful for checking whether an IPS-mode Sensor is
responsible for unexplained traffic dropping.
IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all
packets are temporarily dropped.
IPS (inline, fail-open): inline intrusion prevention. In fault conditions, interfacesrevert to bypass mode.
Fault conditions are:
The Sensor has not completing booting and initializing
The Sensor loses power, or other hardware failure (dependent on hardware
bypass NIC)
When the Sensor has crashed (dependent on hardware bypass NIC)
IPS-1 Sensor Modes
When an interface pair is in bypass mode, as a result of a failure, the bypass
interfaces in most Sensor models will act as a crossover connection between the
8/3/2019 CP_R65.1_IPS-1_AdminGuide
49/186
Chapter 2 Managing the IPS-1 System 49
two systems on either side of the sensor. The four front-left copper interfaces on
the new 200C/F and new 500C/F will act as a straight-though connection when in
bypass mode. All other hardware bypass pairs act as crossover connections whenthey are in bypass mode
Changing the Sensor Mode (Software)
The IPS-1 Sensor mode is set during Sensor installation. To change the mode:
1. In Policy Managers Sensors and Concentrators tab, select the Sensor and click
Edit.
2. Select the desired mode, and click OK.
The IPS-1 Sensor is restarted in the new mode.
Changing the Sensor Mode (Hardware)
The IPS-1 Sensor 50 and Sensor 20 models are ordered and delivered as SKU "P",
for "IPS Monitor-Only" and "IPS (inline fail-open)" modes, or SKU "D", for "IPS
(inline, fail-closed)" and "IDS (passive)" modes. Switching between the two
configurations requires two steps in addition to changing the sensor's operatingmode in software: an internal hardware setting change and a BIOS change.
1. Change the position of the red hardware jumper switch on the system's
motherboard near the Ethernet ports on the front of the chassis.
For passthrough modes (monitor-only and fail-closed), the switch must be
positioned to the rear of the unit, near pins 6 & 7.
For non-passthrough modes (fail-closed and passive), the switch must bepositioned to the front of the unit, near pins 1 and 12.
2. Boot the Sensor.
Warning - When changing a Sensor from an IPS (inline) mode to IDS (passive) mode or from
IDS (passive) mode to an IPS (inline) mode, you MUST also reconfigure the cabling to
change its position within the network. Failure to do so may stop the flow of network traffic
or allow traffic to pass between the networks attached to the Sensor.
Configuring Other Sensor Definitions
3. Wait for the following message during the POST:
TO ENTER SETUP BEFORE BOOT
8/3/2019 CP_R65.1_IPS-1_AdminGuide
50/186
50
TO ENTER SETUP BEFORE BOOT
PRESS OR KEY
Press the key or press the , , and keys to enter the
systems BIOS Setup.
4. On the 'Integrated Peripherals' screen, "Onboard By-PASS Active" should be set
to "[Enabled]" for passthrough modes, and "[Disabled]" for non-passthrough
modes.
5. Exit the BIOS Setup and continue with the boot process.
Warranty note: Check Point will not void the warranty of units that have been
opened for this purpose. A Check Point SE is not required to make the change, but
Professional Services can be arranged if the customer elects not to make the
changes themselves.
Configuring Other Sensor Definitions
In This Section
Regular (non-Power) IPS-1 Sensor Configuration
For regular (non-Power) IPS-1 Sensors, you can use the Check Point Configuration
Tool to configure the following values on the IPS-1 Sensor:
Inline interface pairs (ignored for Passive mode)
IP address of Alerts Concentrator(s)
Activation Key, with which the Alerts Concentrator is authenticated to the
Sensor.
Regular (non-Power) IPS-1 Sensor Configuration page 50
IPS-1 Power Sensor Configuration page 51
Note - Interfaces associated with hardware bypass NICs cannot be changed. The
information is displayed read-only.
Configuring Other Sensor Definitions
To change any of these values:
1. On the IPS-1 Sensor, run:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
51/186
Chapter 2 Managing the IPS-1 System 51
,
cpconfig
2. Select Network Settings.
3. Select the relevant options.
4. When you are finished setting the options on the Sensor, return to the IPS-1
Management Dashboard. In Policy Managers Sensors and Concentrators tab,
select the Sensor and click Edit.
5. Make the change and click OK.
6. Install Policy.
The change is now defined both on the Sensor and in the IPS-1 Management
Server and Alerts Concentrator(s).
Other values, such as networking information, date and time, and host name, are
configured with SecurePlatforms System Configuration Tool, as follows:
1. On the Sensor, run:
sysconfig
2. Select the relevant options.
3. When you are finished setting the options on the Sensor, if the changed value
is the Sensors hostname or IP address, return to the IPS-1 Management
Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor
and click Edit.
4. Make the change and click OK.
5. Install Policy.
The change is now defined both on the Sensor and in the IPS-1 Management
Server and Alerts Concentrator(s).
IPS-1 Power Sensor ConfigurationIPS-1 Power Sensor configuration is performed through its Management Menu, as
follows:
1. To access the Management Menu, log in to the Power Sensor as nfr. TheManagement Menu will appear.
2. Select the relevant options.
Shutting Down or Restarting the IPS-1 Sensor
3. When you are finished setting the options on the Sensor, you may be prompted
to restart the Sensor for the changes to take effect.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
52/186
52
4. If the changed value is the Sensors hostname or IP address, return to the
IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators
tab, select the Sensor and click Edit.
5. Make the change and click OK.
6. Install Policy.
Shutting Down or Restarting the IPS-1 Sensor
Direct CLI shutdown or reboot
On a regular (non-Power) IPS-1 Sensor, use SecurePlatforms shutdown or rebootcommand.
On an IPS-1 Power Sensor, log in as nfr and select Halt or Restart. In both cases,the operating system (not just Sensor processes) is completely shut down.
Remote Restart or Reboot
You can remotely restart the Sensor IPS-1 software or completely reboot the Sensor
machine, from the IPS-1 Management Dashboard. You can restart or reboot an
individual Sensor, or simultaneously all Sensors of a selected Alerts Concentrator.
To remotely restart or reboot one IPS-1 Sensor or all IPS-1 Sensors:
1. In Policy Managers Sensors and Concentrators tab, select and right-click anindividual Sensor, or an Alerts Concentrator.
2. Select one of the following:
Restart Sensors (all the Sensors of the selected Alerts Concentrator)
Reboot Sensors (all the Sensors of the selected Alerts Concentrator)
Restart Reboot
Note - Rebooting generates a progress window. Restarting produces no visible result.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
53/186
Resolving IPS-1 Sensor Communications Issues
Table 2-2
8/3/2019 CP_R65.1_IPS-1_AdminGuide
54/186
54
The following table shows the link status of two systems (such as the Sensor and
the switch) connected using various duplex settings and a Gigabit network
interface.
Overriding Auto-Negotiation Settings for Power Sensors
To Override Auto-Negotiation Settings:
1. Type cpconfig and press enter. The Management Menu will appear.
2. Select Network.
3. Select Set interface media and duplex.
4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the
desired interface, and press Enter to display all settings for the interface.
5. Select a setting, and select Save.
System A System B Link Status
Auto Auto full-duplex
Auto full-duplex System A will fall back to half-duplex
since System B is not doing
auto-negotiation, and the systems will
fail to communicate properly
half-duplex System A will fall back to half-duplex
since System B is not doing
auto-negotiation, and the systems willfail to communicate properly
full-duplex full-duplex full-duplex
half-duplex half-duplex half-duplex
Table 2-3
System A System B Results
Auto Auto up
disabled disabled up
Auto disabled down
Resolving IPS-1 Sensor Communications Issues
Restoring Auto-Negotiation Settings
You can revert to auto-negotiation settings from the IPS-1 Sensor Management
8/3/2019 CP_R65.1_IPS-1_AdminGuide
55/186
Chapter 2 Managing the IPS-1 System 55
Menu.
How to revert to auto-negotiation settings from IPS-1 Sensor
1. Type cpconfig and press enter. The Management Menu will appear.
2. Select Network.
3. Select Set interface media and duplex.
4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the
desired interface, and press Enter to display all settings for the interface.5. Select Auto, and select Save.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
56/186
Uninstalling the IPS-1 Servers
Uninstalling the IPS-1 ServersTo uninstall the IPS-1 Management Server and/or Alerts Concentrator:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
57/186
Chapter 2 Managing the IPS-1 System 57
g
1. Stop the IPS-1 processes, as follows:a. On SecurePlatform, enter expert mode by typing expert and pressing enter.
On other operating systems, login as root.
b. Change to the ips1 user, by running:
su - ips1
c. Run:
ips1 -n stop
2. From outside the IPS-1 directories (/opt/CPips1-R65 and/var/opt/CPips1-R65), perform one of the following:
On SecurePlatform, run the following:
expert
rpm -e CPips1-R65 On Linux, run the following:
rpm -e CPips1-R65
On Solaris, run the following:
pkgrm CPips1-R65
All IPS-1 files and data are removed.
Viewing System Status Information
Viewing System Status Information
In This Section
8/3/2019 CP_R65.1_IPS-1_AdminGuide
58/186
58
In This Section
System Status in the IPS-1 Management Dashboard
In This Section
Viewing System Status in the IPS-1 ManagementDashboard
To view in a single window the activity and communication status of the Alerts
Concentrators and Sensors:
From the Alert Browsers Tools menu, select System Status; or, click the System
Status icon:
System Status in the IPS-1 Management Dashboard page 58
Viewing Sensor History page 61
Viewing the IPS-1 Status Monitor page 62
Viewing System Status in the IPS-1 Management Dashboard page 58
Alerts Concentrator Status Fields page 60
Sensor Status Fields page 61
System Status in the IPS-1 Management Dashboard
Select All or select an item in the list on the left to view its status.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
59/186
Chapter 2 Managing the IPS-1 System 59
For explanations of the status fields, see the following sections.
You can copy information from Status windows to the clipboard, by using context
(right-click) menu commands.
System Status in the IPS-1 Management Dashboard
Alerts Concentrator Status Fields
For an Alerts Concentrator, the following information is displayed:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
60/186
60
Alerts Concentrator: Provides name of the server.
Connection Status: Provides status of the servers connection. Green meansthe connection is active. Red means the connection is inactive.
Sensor Name: Provides the name of the IPS-1 Sensor.
Status (of IPS-1 Sensor): Provides status of the IPS-1 Sensor.
Last Status Time: Provides the timestamp of the last message received from
the server.
Viewing Sensor History
Sensor Status Fields
For a Sensor, the following information is displayed:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
61/186
Chapter 2 Managing the IPS-1 System 61
Viewing Sensor HistoryTo view the history of an IPS-1 Sensor from a specified time frame:
1. Open the Sensors Status window, as explained in the previous section, System
Status in the IPS-1 Management Dashboard on page 58.
Viewing the IPS-1 Status Monitor
2. Click View History.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
62/186
62
3. Select the desired Start and End Time, and click OK.
The Sensors history appears.
Viewing the IPS-1 Status Monitor
To view IPS-1 Sensor status information, run the following command on the Sensor:
ipsstats
The following information is displayed:
System start time: Date and time IPS-1 Sensor was last restarted
CPU: Average percentage of Sensor CPU capacity used in the last hour
Real Memory: Total installed and memory available
Virtual Memory: Total RAM + Virtual (Swap)
Disk Space: Total installed and disk space available
Packet Reception
Total: Number of packets since system start time
Current: Number of packets per second during the past two-second time
intervalAverage: Average number of packets seen per second in the last hour
Peak: Highest number of packets seen per second in the last hour
Viewing the IPS-1 Status Monitor
Protocols
Installed: Number of installed protocols
Loaded: Number of successfully loaded protocols
8/3/2019 CP_R65.1_IPS-1_AdminGuide
63/186
Chapter 2 Managing the IPS-1 System 63
Failed: Number of protocols that failed to load
Protection Groups
Installed: Number of installed protection groups
Loaded: Number of successfully loaded protection groups
Failed: Number of protection groups that failed to load
Current time (located in the lower right-hand corner of the screen)
From the Status Monitor, press any key to display the Management Menu, or press
ctrl-c to return to the command line.
Note - The IPS-1 Sensor generates an alert if part of a protection package fails to
load. This usually means that the package has a syntax error or a required variable is
undefined.
Viewing the IPS-1 Status Monitor
8/3/2019 CP_R65.1_IPS-1_AdminGuide
64/186
64
8/3/2019 CP_R65.1_IPS-1_AdminGuide
65/186
65
Chapter 3Managing Attack Detection
and PreventionIn This Chapter
Overview page 66
Updating Attack Signatures page 67
Avoiding False Positives page 73
Managing Protections page 74
System-Wide Attack Correlation page 89
Overview
OverviewIn a typical multi-Sensor system, different IPS-1 Sensors are configured to detect
different exploits. This is accomplished by the administrator enabling certain
8/3/2019 CP_R65.1_IPS-1_AdminGuide
66/186
66
protections and disabling others. Enabled protections on IPS-1 Sensors in active,inline (non-passive, non-bridge) mode will block traffic identified as an attack, or
some protections can be set to Monitor-Only, to generate alerts without blocking
traffic. You can configure other aspects of the protections as well.
Configuration settings for IPS-1 Sensors (including system settings) are stored on
the IPS-1 Alerts Concentrators to which they report. Changes are made through the
Management Dashboard on the IPS-1 Management Server, from there sent to the
Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.
Updating Attack Signatures
Updating Attack SignaturesCheck Point is continuously updating attack detection code to combat evolving
threats. To keep your network security up-to-date, it is important to frequently
8/3/2019 CP_R65.1_IPS-1_AdminGuide
67/186
Chapter 3 Managing Attack Detection and Prevention 67
update attack signatures from Check Points online update server.
You can configure the system to automatically retrieve updates, and you can also
manually initiate an update from Check Points online update server or from locally
saved files, obtainable from Check Points User Center.
In This Section
Configuring Automatic Attack Signature Updates
To set automatic periodical attack signature updates from Check Points package
server:
1. From Policy Managers Policy Manager menu, select Auto-Update Settings. Or, in
Policy Managers Protection tab, in the left-hand navigation tree, select
Download Updates, and click Auto-Update Settings.
Note - A firewall situated between the IPS-1 Management Server and the Internet must be
configured to permit outbound TCP connections from the IPS-1 Management Server to
ips-packages.checkpoint.com on port 2013.
Configuring Automatic Attack Signature Updates page 67
Manually Updating Attack Signatures page 70
Configuring Automatic Attack Signature Updates
The following window appears:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
68/186
68
2. Verify the Package Server and connection information, which should be:
Server Address: ips-packages.checkpoint.com
Server Port: 2013
3. If the IPS-1 Management Server is behind a proxy server, select Use Proxy and
type your proxy server connection and authentication information. Click Next.
Configuring Automatic Attack Signature Updates
The following window appears:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
69/186
Chapter 3 Managing Attack Detection and Prevention 69
4. Select a frequency for automatic updates. Selecting an option other then
Disabled causes time and date fields (for the first update) to appear, as follows:
Manually Updating Attack Signatures
8/3/2019 CP_R65.1_IPS-1_AdminGuide
70/186
70
5. Schedule the first update as needed. To choose a date from a calendar, click
. For the first update to occur immediately, click Now.
6. Click Finish and close the Policy Manager. The first update will automatically
occur when specified, and will continue from then according to the specified
frequency. After each automatic update, the IPS-1 Management Server will
transmit the attack signatures to Alerts Concentrators and IPS-1 Sensors that
were selected when the last manual Install Policy was performed.
Manually Updating Attack SignaturesTo manually update attack signatures from Check Points package server or from
locally saved files, obtainable from Check Points user center:
From Policy Managers Policy Manager menu, select Online Update. Or, in Policy
Managers Protection tab, in the left-hand navigation tree, select Download Updates,
and click Online Update.
Manually Updating Attack Signatures
A two-page wizard will start, beginning with the Download Package page:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
71/186
Chapter 3 Managing Attack Detection and Prevention 71
Configure the package update as follows:
1. Select an attack signature package source. In most cases, this should be Check
Points Package Server. Other options are: Local File - files that have been downloaded from Check Points user center to a local
drive on the Management Dashboard users computer or network. This is useful if the
IPS-1 Management Server cannot access the internet, or for users who have edited the
files N-Code. If you select to update from a file, browse to the file, click Next, and
proceed to step 4.
Management Server/Alerts Concentrator - uploads an Alerts Concentrators current attack
signatures to the IPS-1 Management Server. This is useful when one Alerts
Concentrator is more up-to-date than another, or on first setup of a newly installed
IPS-1 Management Server, as a temporary measure (a newly installed Alerts
Concentrator comes with a default set of attack signatures). If you select to upload
from an Alerts Concentrator, select the desired Alerts Concentrator, click Next, and
proceed to step 4. Remember to update the attack signatures as soon as possible
afterwards.
Skip Download - This option is not available if no attack signature package yet exists on
the IPS-1 Management Server.
Manually Updating Attack Signatures
2. Verify the Package Server information, which should be:
Server Address: ips-packages.checkpoint.com
Server Port: 2013
3 If the IPS 1 Management Server is behind a proxy server you may need to
8/3/2019 CP_R65.1_IPS-1_AdminGuide
72/186
72
3. If the IPS-1 Management Server is behind a proxy server, you may need toselect Use Proxy and type your proxy server connection and authentication
information. Click Next.
Once the packages are available, the Install Packages page appears:
4. Select protocols and protection groups for which to update attack signatures.
Information and file contents for selected protocols and protection groups is
displayed on the right.
When in doubt, it is better to install and then disable a package in Policy Manager, than to
not install it. Some protocols and protection groups depend on others being present to be
able to work.
When you complete this wizard, attack signatures will be updated only on the IPS-1 Management
Server. You will still need to install policy on the Alerts Concentrator(s) and IPS-1 Sensors.
Click Finish to initiate the update.
Avoiding False Positives
Avoiding False PositivesAs with any IPS system, before your protection settings are fully adapted to your
network, the risk of false positives may be greater than otherwise. For this reason,
it is recommended to start out with attack detection only and then gradually
8/3/2019 CP_R65.1_IPS-1_AdminGuide
73/186
Chapter 3 Managing Attack Detection and Prevention 73
it is recommended to start out with attack detection only, and then graduallyincrease the level of prevention.
The modes and settings below allow you to reduce prevention, thus minimizing the
risk of false positives. Of course, any reduction in prevention may increase the risk
of a successful attack.
Individual protection pages in Policy Managers Protection tab (the lowest-level
items in the Protection Settings navigation tree) contain protection description text,including per-protection assessments of the risk of a false positive.
Sensor Monitor-Only mode: In this mode, an inline IPS-1 Sensor generates
alerts without actually preventing traffic. For more details, see IPS-1 Sensor
Modes on page 47.
As preperation for changing the IPS-1 Sensor to a prevention modes, you can
enable special alerts to notify you when traffic would have been prevented with
the IPS-1 Sensor in other modes, as follows:
1. In Policy Managers Policy Manager menu, enable Show Advanced Settings.
2. In the System Settings tab, in the left-hand navigation tree, under Attack,
select Intrusion Prevention.
3. In the right-hand settings page, select Intrusion Prevention Notifications.
When you do change the IPS-1 Sensor to a prevention mode, remember to clear
Intrusion Prevention Notifications.
Whitelisting: Important hosts can be added to the Servers Whitelist or to the
Client Whitelist. Traffic from these hosts will be inspected for attacks but will
not be blocked if attacks are detected. For details, see Exempting Hosts from
Inspection or Prevention on page 87.
Monitor-Only protection setting: All or some protections can be set to Monitor
Only. For details, see Protection-Level Settings on page 82 and One-ClickConfiguration of All Protocols and Protections on page 83.
Confidence Indexing: By default, active protections that are not in Monitor-Only
mode drop traffic when confidence of it being an attack is least 50%. You can,
in individual protection pages, select Active upon Confidence (not available for
protection groups or protocols), and raise the Confidence value, for only
high-confidence attack traffic to be dropped. See Protection Modes on
page 81 for details.
Managing Protections
Managing Protections
In This Section
Overview page 74
8/3/2019 CP_R65.1_IPS-1_AdminGuide
74/186
74
Overview
In a typical multi-Sensor system, different IPS-1 Sensors are configured to detect
different exploits. This is accomplished by enabling certain protections and
disabling others. Enabled protections on IPS-1 Sensors in inline active
(non-passive, non-bridge) mode will block traffic identified as an attack.
Alternatively, the protection can be set to Monitor-Only so that it generates alerts
without blocking traffic.
Some protections define an attack according to specific thresholds with default
values. You can fine-tune these protections according to your needs by changing
these values.
To easily configure protections for multiple IPS-1 Sensors, protection settings are
configured for a protection Profile, which is then installed on IPS-1 Sensors
associated with that profile. IPS-1 Sensors that should have similar protectionconfigurations should be associated with the same Profile. Similar Profiles can be
easily managed by cloning or copying settings.
Detection and prevention are also affected by system settings that apply to
protections in general, for each IPS-1 Sensor, or protection Profile. Most of these
have reasonable default values and are visible only when Advanced Settings are
enabled (from Policy Managers Policy Manager menu).
The Protection Overview feature enables viewing system-wide protection settings
and is a valuable tool for implementing protection throughout a complex
deployment. For details, see Viewing and Copying Comprehensive Protection
Settings on page 85.
Overview page 74
Managing Protection Profiles page 75
Configuring Protections page 77
Viewing and Copying Comprehensive Protection Settings page 85
Exempting Hosts from Inspection or Prevention page 87
Managing Protection Profiles
Configuration settings for IPS-1 Sensors (including system settings) are stored on
the IPS-1 Alerts Concentrators to which they report. Changes are made through the
Management Dashboard on the IPS-1 Management Server, from there sent to the
Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
75/186
Chapter 3 Managing Attack Detection and Prevention 75
Managing Protection Profiles
To easily configure protections for multiple IPS-1 Sensors, protection settings are
configured for a protection profile, which is then installed on IPS-1 Sensors
associated with that profile.
IPS-1 Sensors that should have similar protection configurations should be
associated with the same profile. Similar Profiles can be easily managed by cloning
or copying settings.
In This Section
Creating a New Profile
To create a new profile:
1. From Policy Managers Protection tab, select Profile Management.
2. Click New and select Create New Profile.
3. Type a name for the profile and click OK.
Managing Similar Profiles
You can create a profile with protection settings similar to an existing profile by
copying the profile of an existing profile and then modifying the settings. You can
either clone the original profile to create a new, identical profile, or copy its
settings onto an existing profile, overriding its original settings.
Creating a New Profile page 75
Managing Similar Profiles page 75
Associating an IPS-1 Sensor with a Profile page 76
Managing Protection Profiles
Cloning a Profile
To create a new profile with settings identical to those of an existing profile, clone
the existing profile, as follows:
1. From Policy Managers Protection tab, select Profile Management.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
76/186
76
y g , g2. From the Profiles list, select a profile to be cloned.
3. Click New and select Clone Selected Profile.
4. Type a name for the new profile and click OK.
Copying a Profiles Settings onto an Existing Profile
To copy a profiles settings onto another profile, overriding its original settings:
1. From Policy Managers Protection tab, select Profile Management.
2. From the Profiles list, select a profile to be copied and then right-click it.
Select Copy... Settings.
3. Select the target profile and then right-click it. Select Paste Settings from... .
Associating an IPS-1 Sensor with a Profile
To associate a IPS-1 Sensor with a particular protection profile:
1. From Policy Managers Protections tab, select Profile Assignment.
2. Select the IPS-1 Sensor and then right-click it. Select Edit Assigned Profile for....
3. Select the desired profile and click OK.
Configuring Protections
Configuring Protections
In This Section
Overview page 77
8/3/2019 CP_R65.1_IPS-1_AdminGuide
77/186
Chapter 3 Managing Attack Detection and Prevention 77
Overview
Protections are organized into a three-tier hierarchy:
Protocol: In most cases, a Protocol includes all the protections that are based
on analysis of traffic of a particular protocol. A few Protocols, such as
Authentication and Badfiles, perform specific types of analysis over most traffic
protocols.
Protection Group: A sub-group of a Protocol, including a number of related
protections. Some settings, such as numerical thresholds, are defined at the
protection group level for all the protections in the group. Protection: Detects, prevents, and alerts for a specific attack.
To view a categorized protection list, expand the Application Intelligence, Network
Security, or Web Intelligence heading in the navigation pane of Policy Managers
Protection tab:
In the above figure, AOL Instant Messenger and Authentication are protocols;
Authentication BE is a protection group; and alphanumpasswd_alert andalphapasswd_alert are protections.
If an item you expect to see is missing, either it may not be installed or it may only
be visible in advanced mode. To install it, update the attack signature package. See
Updating Attack Signatures on page 67 for details.
p g
Viewing Protection Information page 78
Protection Settings page 79
Configuring Protections
Selecting any list item displays its settings page in the right-hand pane, with
description text below. For example:
8/3/2019 CP_R65.1_IPS-1_AdminGuide
78/186
78
To easily configure protections for multiple IPS-1 Sensors, protection settings are
configured for a protection profile, which is then installed on IPS-1 Sensors
associated with that profile. For information on managing profiles, see Managing
Protection Profiles on page 75.
Viewing Protection InformationEach protocol, protection group and protection comes with informative description
text.
To view description text:
In Policy Managers Protection tab, under Protection Settings, select a protocol,
protection group, or protection. Description text appears in the lower-right pane:
Configuring Protections
8/3/2019 CP_R65.1_IPS-1_AdminGuide
79/186
Chapter 3 Managing Attack Detection and Prevention 79
Description text includes some or all of the following headings:
Overview
Corroberation and Leads
Why this is Important
Technical Information (including explanations for unique settings)
False Positives
References
You can also view file contents for protocols and for protection groups. In the
protocol or protection groups page, click Show Files.
Protection Settings
In This Section
Protection Settings Overview
Each protocol, protection group, or protection has various settings associated with
it. These settings are located on the protocol, protection group, or protection page.
Some settings are the same throughout different protocols and protections. These
are described in the following sections.
Protection Settings Overview page 79
Protection Modes page 81
Protection-Level Settings page 82
One-Click Configuration of All Protocols and Protections page 83
Configuring Protections
Other settings are unique to the specific protocol, protection group, or protection
and appear only on its page. For information on these settings, see the description
text in the lower-right pane of the Policy Manager window.
Note that some protections behavior are affected by general settings. These
include local network addresses, defined in IPS-1 Sensor properties (in PolicyManagers Sensors and Concentrators tab) and various per Profile settings found in
8/3/2019 CP_R65.1_IPS-1_AdminGuide
80/186
80
Manager s Sensors and Concentrators tab), and various per-Profile settings found in
Policy Managers System Settings tab.
Protocol settings affect all protection groups and protections under it. Protection
group settings affect all protections under it.
Settings are per protection profile. You can configure settings differently for
different profiles.
Settings do not take effect until you Install Policy on the IPS-1 Sensors.
To display settings for a specific protocol, protection group, or protection, for a
specific protection profile:
1. In Policy Managers Protection tab, under Application Intelligence, Network
Security, or Web Intelligence, select a protocol, protection group, or protection.
The select settings page appears in the upper-right pane:
2. In the Profile list, select a Profile.
The settings for the selected Profile are now displayed.
Configuring Protections
Protection Modes
Protection Modes determine whether protections will be applied to the traffic which
is seen by the IPS-1 Sensors. Protection Modes can be set for protocol, protection
group, and protection for each protection profile. Protection Modes are most
commonly changed on the protections.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
81/186
Chapter 3 Managing Attack Detection and Prevention 81
Protection Modes include:
Active the protection will be applied to traffic seen by the IPS-1 Sensor
Active upon Confidence the protection will be applied to traffic seen by the
IPS-1 Sensor only if the traffic meets the Confidence Level set for the protection.This setting is not available on protocols or protection groups.
Inactive the protection will not be applied to traffic seen by the IPS-1 Sensor
Changing the Protection Mode of a protocol, protection group, or protection may
force the Protection Mode of its associated parent or children to change in order to
avoid conflicting settings. For example, setting a protection to Active or Active upon
Confidence automatically forces its parent protocol and protection group to Active as
well. Similarly, setting a protocol or protection group to Inactive automaticallyforces its children to Inactive as well.
When activating a protocol or protection group, the Protection Mode of its child
protections will revert to the setting that it was given last. Therefore, when
activating a protocol or protection group, the Protection Mode of the child
protections must be verified indivually to insure that each protection has the
desired Protection Mode.
Configuring Protections
In any protection page:
To activate a protection for the selected protection profile, select Active or
right-click on the Protection Mode cell and select Activate.
To configure Confidence Indexing for a protection, select Active upon
Confidence, or right-click on the Protection Mode cell and select Activate upon
Confidence and drag the slider to the desired confidence index For details
8/3/2019 CP_R65.1_IPS-1_AdminGuide
82/186
82
Confidence, and drag the slider to the desired confidence index. For details
regarding Confidence Indexing, see Avoiding False Positives on page 73.
To disable a protection for the selected protection profile, select Inactive or
right-click on the Protection Mode cell and select Deactivate.
After configuring settings, make sure to Install Policy.
Protection-Level Settings
The following settings appear on all protections (not protection group or protocol)
pages:
Monitor only - no protection: When selected, the protection generates alerts but
does not prevent traffic.
Add attackers to blacklist: This setting is visible only when Show AdvancedSettings is enabled in the Policy Manager menu. When enabled, source IP
addresses of attacks are blacklisted, causing subsequent traffic from those
addresses to be blocked.
The blacklisting lasts for the duration defined in Blacklist TCP (also
Advanced-Settings only), found in the System Settings tab under Attack >
Intrusion Prevention. The default duration is 0, and as long as the duration has
not been configured to a non-zero value, the option here is disabled. You canclick the link here to go directly to the Blacklist TCP setting.
Send TCP resets to attacker and victim (50%): This setting is visible only when
Show Advanced Settings is enabled in the Policy Manager menu. When selected,upon attacks, IPS-1 sends protocol-appropriate reset signals to the attack
source and destination IP addresses. For TCP, this is a TCP RST. For other IP
protocols, this is an ICMP Administratively Prohibited message.
50% means the reset signal is sent only for attacks for which the confidence
index is at least 50%.
Note - Blacklisting only takes effect for attacks over TCP (in other protocols, the attack
could be spoofed), and only if the host is not explicitly Whitelisted (in Advanced Settings
mode, in the Attack protocol).
Configuring Protections
Enable packet capture: When selected, attack packets are captured for viewing
from the Alert Details. For details, see Packet Capture and Viewing on
page 129.
There may be additional settings, unique to the specific protection. For information
on these settings, see the description text in the lower-right pane of the PolicyManager window.
8/3/2019 CP_R65.1_IPS-1_AdminGuide
83/186
Chapter 3 Managing Attack Detection and Prevention 83
g
After configurin