topic Re: Inspection Settings Behavior in Firewall and Security Management

Inspection Settings Behavior

Matlu — Wed, 19 Nov 2025 21:13:46 GMT

Hello Team.

Is traffic blocked by the “Inspection Settings” feature in Check Point ‘mandatorily’ labeled as “Inspection Settings” within a LOG?

I'm providing relevant information from the log to explain my question.

Id: 0a7b5e81-5105-ba02-691d-e64d5dd70000
Marker: @A@@B@1763566642@C@1516930
Domain: CMA_MIR
Time: 2025-11-19T15:46:21Z
Interface Direction: inbound
Interface Name: bond2.794
Id Generated By Indexer: false
First: true
Sequencenum: 249
Policy Rule UID: 837284bb-df97-41cd-a8e6-8a8d314623e2
Sub Policy Name: PQ_MIRNET Network
Sub Policy Uid: c4bdc336-5d7e-43e4-8bb3-9a07cfb6f724
Service ID: sip
Source: 10.11.51.14
Source Port: 31857
Destination: 147.219.18.19
Destination Port: 5060
IP Protocol: 17
Request: 180
Source IP-phone: 983667441
Destination Phone Number:51995109913
VoIP Call ID: 1f63acc7-d1b3-4b91-a7a6-23f8b0579819
VoIP Log Type: Security
Content Type: VoIP Session
Inspection Item: Number of retransmissions exceeded the maximum allowed
Inspection Information: Message exceeded the retransmissions limit
Severity: Medium
Performance Impact: Very Low
Inspection Category: protection
Inspection Profile: Default Inspection
Action: Drop
Type: Log
Policy Name: PQ_MIR
Db Tag: {D25FE155-9792-614A-A674-0FDAD2EE6F55}
Policy Date: 2025-11-10T18:48:03Z
Service: UDP/5060
Product Family: Access
Logid: 65536
Access Rule Name: VPN_AWS
Access Rule Number: 90
Interface: bond2.794
Description: sip Traffic Dropped from 10.11.51.14 to 147.219.18.19
Blade: IPS, Firewall

So, my question arises when reviewing the LOG, as I was sure that within the log there should be a section called “INSPECTION SETTINGS DETAILS” so that I could “understand” that this traffic block is due to this Check Point feature. but in my case, there is nothing in the log that indicates this section, and the most relevant thing I see is what is highlighted in bold above.

Does the INSPECTION SETTINGS functionality focus on all protocols or just some?

I have searched the IPS Protections for any signature related to this block, but nothing appears. The only thing I found is a “signature” in the INSPECTION SETTINGS section, but since nothing appears in the LOG that mentions “INSPECTION SETTINGS” I have not given it any importance, but apparently I should 😑

Thank you for your comments.

Re: Inspection Settings Behavior

Lesley — Wed, 19 Nov 2025 21:58:56 GMT

This is the trigger for me: Inspection Profile: Default Inspection

This tells me to check the inspection settings. The default inspection is the name how it is default. You can customize this name to make it more noticeable for you.

When you configure a Security Gateway, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

Re: Inspection Settings Behavior

Matlu — Wed, 19 Nov 2025 22:30:50 GMT

Is “Inspection Settings” related to IPS?
Because in the LOG, as you will notice, it details that this traffic MATCHES the Firewall and IPS blades, but it is easy to get “confused” at this point, since no known “signature” appears here to indicate that the blocking problem is due to an IPS engine signature.
Is my question clear?

Re: Inspection Settings Behavior

the_rock — Thu, 20 Nov 2025 01:23:28 GMT

Hey bro,

Its not related to IPS. Inspection settings are more related to protocol compliance and deep packet inspection, while IPS is more related to blocking malicious threaths and exploits.

Re: Inspection Settings Behavior

Gennady — Thu, 20 Nov 2025 06:44:55 GMT

Good day!

The inspection settings can be found in the following way:

Click on the Manage tab in SmartConsole.
Click on Blades tab from there
Then click on General -> Inspection Settings.
Then you can use Search to find an inspection "Maximum Allowed Retransmissions"
Select "SIP Maximum Allowed Retransmissions"
Edit the Inspection
Click on Advanced
Set a desired number of retransmissions

You can also make the inspection Inactive in "General Properties" instead tuning the value in "Advanced"

As an option you can also add an Exception these types of Inspections if you go to "Exceptions" at step 4 instead of going to "Search".

Please, find the screenshot below:

Re: Inspection Settings Behavior

emmap — Thu, 20 Nov 2025 08:25:54 GMT

Inspection Settings are enforced by the IPS blade part of the software, even though it's not configured in there (anymore...) and you don't need IPS enabled or licensed to enforce them.

Re: Inspection Settings Behavior

Matlu — Thu, 20 Nov 2025 21:51:28 GMT

Hello,
So, if I don't have IPS enabled and the INSPECTION SETTINGS function blocks traffic, can it still be “marked” in the LOG as if it were the IPS BLADE that is blocking the traffic?
Based on your comment, I understand that this functionality is closely linked to the IPS blade, correct?
Cheers 🙂

Re: Inspection Settings Behavior

the_rock — Thu, 20 Nov 2025 22:13:25 GMT

Just put the exception then from the log, bro. There is usually an option there.

Re: Inspection Settings Behavior

emmap — Fri, 21 Nov 2025 02:24:14 GMT

Yes it will still say IPS on the log card.

Re: Inspection Settings Behavior

the_rock — Fri, 21 Nov 2025 02:37:23 GMT

I suppose that would make sense Emma, since IPS is blade and inspection settings are slightly unrelated.