https://community.checkpoint.com/t5/Firewall-and-Security-Management/Question-regarding-traffic-handling/m-p/248150#M48485 <P>Please make sure ALL of your Check Point gateways are properly patched/upgraded to fix CVE-2024-24919, not just using the IPS signature for it:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk182336" target="_blank">https://support.checkpoint.com/results/sk/sk182336</A>&nbsp;</P> <P>In any case, an Access Policy "accept" followed by a Threat Prevention "drop" is normal since we process Access Policy rules before Threat Prevention.<BR />Which means the traffic should have been dropped by IPS.</P> <P>What evidence does the XDR provide that the relevant traffic wasn't blocked?</P> Mon, 05 May 2025 23:31:09 GMT PhoneBoy 2025-05-05T23:31:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Question-regarding-traffic-handling/m-p/248126#M48475 <P>R81.20</P> <P>This is concerning CVE-2024-24919.&nbsp;&nbsp;</P> <P>We applied the hotfix last year for this and all the recommended other steps.</P> <P>We use a third party XDR system, and while going through the events from today, I noticed that it says that my Check Point "did not block" traffic related to CVE-2024-24919.</P> <P>&nbsp;</P> <P>When I look at my Check Point logs in Smart Log, I can only see two entries at the same exact time:.&nbsp; One is my firewall blade telling me it let this traffic through.</P> <P>The other entry is telling me my IPS rule for CVE-2024-24919 prevented it.</P> <P>&nbsp;</P> <P>I'm guessing this traffic was blocked by my IPS, but why would this pacet not be "dropped"&nbsp; at the gateway, or is this just a GUI quirk Check Point?</P> <P>&nbsp;</P> <P>Thank you!</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 05 May 2025 18:41:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Question-regarding-traffic-handling/m-p/248126#M48475 Joe_Kanaszka 2025-05-05T18:41:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Question-regarding-traffic-handling/m-p/248134#M48481 <P>Do you see the CVE in the logs?</P> <P>Andy</P> Mon, 05 May 2025 20:07:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Question-regarding-traffic-handling/m-p/248134#M48481 the_rock 2025-05-05T20:07:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Question-regarding-traffic-handling/m-p/248150#M48485 <P>Please make sure ALL of your Check Point gateways are properly patched/upgraded to fix CVE-2024-24919, not just using the IPS signature for it:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk182336" target="_blank">https://support.checkpoint.com/results/sk/sk182336</A>&nbsp;</P> <P>In any case, an Access Policy "accept" followed by a Threat Prevention "drop" is normal since we process Access Policy rules before Threat Prevention.<BR />Which means the traffic should have been dropped by IPS.</P> <P>What evidence does the XDR provide that the relevant traffic wasn't blocked?</P> Mon, 05 May 2025 23:31:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Question-regarding-traffic-handling/m-p/248150#M48485 PhoneBoy 2025-05-05T23:31:09Z