topic Re: Searching for IPS protections via ssh in Firewall and Security Management

Searching for IPS protections via ssh

the_rock — Mon, 17 Feb 2025 20:32:45 GMT

Hey guys,

Figured would share this in case anyone encounters the same problem. So had issue with customer where certain parts of sites on Azure were not coming up when testing from on prem and we ran debug and discovered it was related to IPS, but had hard time finding out the protection in question. So I saw there is a command you can run via expert mode if you have xeha-decimal value for protection (which we did from the drops) and once we got the protection name, was easy to fix the problem.

[Expert@quantum-firewall:0]# ips

Usage:
ips stat # Display IPS status
ips on|off # Enable\Disable IPS
ips bypass stat # Display Bypass Under Load status
ips bypass on|off # Enable\Disable bypass mode
ips bypass set cpu|mem low|high <th> # Set bypass thresholds
ips debug [-e filter] -o <outfile> # Get IPS debugs
ips refreshcap # Refresh the sample capture repository
ips stats [<ip_address> -m] [-g <seconds>] [<ip_address> <seconds>] [-h]
# Print IPS performance and PM statistics
ips protection <protection_id (hex)> # Display protection name

Note: IPS CLI configuration is temporary - it will be overridden by the next
policy installation or boot
[Expert@quantum-firewall:0]# ips protection 0x82e5656a
Web Servers Malicious URL Directory Traversal
[Expert@quantum-firewall:0]#

I would say since we saw lots of errors first packet isnt SYN and customer proved this worked fine when NOT traversing the CP cluster, I would say, if you ever see that message, always check threat prevention blades, specially IPS, apart from obvious "culprits"...routing, NAT, sxl : - )

Cheers,

Andy

Re: Searching for IPS protections via ssh

the_rock — Mon, 13 Feb 2023 17:11:01 GMT

Btw, these are drops from zdebug.

To add this as a side note, no matter what words we used to search for IPS protection in smart console, absolutely nothing worked and we were unable to find the actual protection.

@;436822375;[vs_0];[tid_1];[fw4_1];ips_cmi_handler_match_cb_ex: Packet dir 0, 19 2.168.37.190:63474 -> 10.30.11.17:80 IPP 6 dropped by IPS [reject] , protection_ id=0x82e5656a, protection_name=<GW CLI: ips protection 0x82e5656a>;
@;436822377;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=6 192.168.37.190 :63474 -> 10.30.11.17:80 dropped by fwmultik_process_f2p_cookie_inner Reason: PS L Drop: WS
@;436822379;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=6 192.168.37.190 :63474 -> 10.30.11.17:80 dropped by fwmultik_process_f2p_cookie_inner Reason: PS L Drop: WS
@;436822442;[vs_0];[tid_1];[fw4_1];ips_cmi_handler_match_cb_ex: Packet dir 0, 19 2.168.37.190:63424 -> 10.30.11.17:80 IPP 6 dropped by IPS [reject] , protection_ id=0x82e5656a, protection_name=<GW CLI: ips protection 0x82e5656a>;

Re: Searching for IPS protections via ssh

G_W_Albrecht — Mon, 13 Feb 2023 17:23:00 GMT

I can find it:

Has even been updated recently...

Re: Searching for IPS protections via ssh

the_rock — Mon, 13 Feb 2023 17:24:27 GMT

Well, you can find it when I gave full name lol. If you search by the actual words from the debug I attached, you will NOT find it : - )

Andy

Re: Searching for IPS protections via ssh

G_W_Albrecht — Mon, 13 Feb 2023 18:09:03 GMT

Yes, therefore i use the most important part only...

Re: Searching for IPS protections via ssh

PhoneBoy — Mon, 13 Feb 2023 18:12:46 GMT

Great tip!

Re: Searching for IPS protections via ssh

the_rock — Mon, 13 Feb 2023 18:15:45 GMT

Right and to GET to most important part you need the command : - )

Re: Searching for IPS protections via ssh

the_rock — Mon, 13 Feb 2023 18:18:34 GMT

Figured would share since I learned this myself today as well : - )

Re: Searching for IPS protections via ssh

Timothy_Hall — Mon, 13 Feb 2023 19:36:47 GMT

Very nice, thanks for sharing.

Re: Searching for IPS protections via ssh

the_rock — Mon, 13 Feb 2023 19:38:54 GMT

No worries, any time. I asked my colleague to share this link with TAC engineer, hopefully it saves them some time if they ever encounter this with another customer.

Cheers.

Re: Searching for IPS protections via ssh

Timothy_Hall — Mon, 13 Feb 2023 19:49:36 GMT

Forgot to mention that it is possible to make the offending IPS signature name show up directly in the fw ctl zdebug drop output by changing variable enable_inspect_debug_compilation from false to true in GUIdbedit, although doing so will substantially increase the size of the compiled policy sent to the gateway: sk60395: How to debug IPS during issues with DCE-RPC traffic.

I haven't done this in quite some time and it may no longer be supported.

Re: Searching for IPS protections via ssh

the_rock — Mon, 13 Feb 2023 19:49:23 GMT

Ah, good to know.

Re: Searching for IPS protections via ssh

G_W_Albrecht — Tue, 14 Feb 2023 07:47:07 GMT

But the command will not be helpfull if you cannot find the protection 8)

Re: Searching for IPS protections via ssh

the_rock — Tue, 14 Feb 2023 11:28:15 GMT

So answer this then...based on debug I posted, and ONLY debug, how would you ever figure out what is the IPS protection if you dont run command I gave? 🙂

Re: Searching for IPS protections via ssh

madu1 — Wed, 26 Jun 2024 17:17:41 GMT

Thanks for the info @the_rock . I had exactly the same issue today; zdebug gave a hex code which doesn't show up when you search in the protections in SmartConsole. The CLI command told me the protection name, then I found it in SmartConsole using the name.

Interestingly also, these drops did not appear in the logs in SmartConsole, so at first I didn't even think I had an IPS issue until I'd done the zdebug. Not the first time the logs alone don't tell the full story. Or any of the story!

Re: Searching for IPS protections via ssh

the_rock — Wed, 26 Jun 2024 17:20:01 GMT

Glad it helped you.

Andy

Re: Searching for IPS protections via ssh

PhoneBoy — Fri, 28 Jun 2024 15:47:10 GMT

The issue about lack of logging a specific IPS protection should probably be raised with TAC: https://help.checkpoint.com