topic Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER in Firewall and Security Management

INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

anstelios — Thu, 09 Jul 2020 06:59:56 GMT

zdebug drop shows errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER and https sites were not working on several environments due to IPS protection "openssl padding oracle information disclosure" that was updated on 7/8/2020.

Disabling this protection resolves the issue.

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

_Val_ — Thu, 09 Jul 2020 07:10:31 GMT

"zdebug" is a macros that only sends debug flags to fw module, if used without additional efforts, as "fw ctl zdebug drop". In R80.x fw module does not do much. You need to debug KISS and UP.

It is better to involve TAC in your case.

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Ruan_Kotze — Thu, 09 Jul 2020 07:12:23 GMT

Thanks for this - got several customers affected by this. Can confirm that disabling the protection restores internet access.

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

_Val_ — Thu, 09 Jul 2020 07:15:28 GMT

Please raise TAC case for this, thanks

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Ruan_Kotze — Thu, 09 Jul 2020 07:33:21 GMT

Hi All,

Have engaged TAC - but also received the following update from my CP SE:

The problematic updates are:
634204548 or 635204548

The impact:
- After IPS update, many drops observed (via fw ctl zdebug + drop on CLI)
dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
- The following may be seen in /var/log/messages:
kernel: [fw4_4];ips_gen_dyn_log: malware_policy_global_send_log() failed
- High CPU utilization and traffic impact

Short term remediation:
1. Re-enable IPS on the gateway object if it was disabled as a workaround.

2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)
a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"

3. Revert to previous good IPS database update
a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option

4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.

Best practices for updates and IPS implementation:
This document (while it is specified for R80.10, it is still relevant for newer versions) contains our best practices recommendations about IPS profile implementation, and update best practices. https://sc1.checkpoint.com/documents/Best_Practices/IPS_Best_Practices/CP_R80.10_IPS_Best_Practices/html_frameset.htm

Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway:
fw ctl set int tls_parser_enable 0

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

_Val_ — Thu, 09 Jul 2020 08:00:40 GMT

Hello, we are aware of the issue and are working to provide a fix for it.

Meanwhile, if you are affected, please use the following steps for short term remediation:

1. Re-enable IPS on the gateway object if it was disabled as a workaround.

2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)

a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"

3. Revert to previous good IPS database update

a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option

4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.

fw ctl set int tls_parser_enable 0

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Danny — Thu, 09 Jul 2020 08:31:59 GMT

🤐

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Rahul_Borah — Thu, 09 Jul 2020 11:17:22 GMT

I am also facing the same issue after active the OpenSSL Padding Oracle Information Disclosure (CVE-2016-210).

After disabling this protection resolves the issue.

Regards,

R.B

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

_Val_ — Thu, 09 Jul 2020 12:14:15 GMT

IPS update has been replaced. It is now safe to update.

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Vincent_Bacher — Thu, 09 Jul 2020 12:22:15 GMT

We were facing this issue at a customers installation today as well.
After opening sr we got update, that IPS versions 634204548 or 635204548 are affected. We reverted to 635204525 and the issue persisted.

As we did not want to try and error we now have disabled this protection and now the issue is gone for now.

Now we're waiting for the next update (and reply from sr owner)

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Albert_Wilkes — Thu, 09 Jul 2020 16:02:56 GMT

Just FYI

Due to the high performance impact this will affect customers with a "strict" or custom IPS profile only:

Oddly enough my colleague's lab system has this very protection as "low confidence"

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

phlrnnr — Thu, 09 Jul 2020 15:47:33 GMT

Yeah, that was a nasty one.

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Eduardo_Eiros — Thu, 09 Jul 2020 16:19:12 GMT

Hello

First question: in which package is the IPS protection CPAI-2016-0349 updated and fixed?

Second question: why is not an official advisory regarding this issue? Impact has been huge

Regards

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

StackCap43382 — Thu, 09 Jul 2020 17:48:09 GMT

Anyone having this update propagate?

I'm mashing update and still 635204548.

Re: INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Danny — Fri, 10 Jul 2020 09:29:36 GMT

Check Point has finally released sk167939 which describes the issue and solution.
It also outlines that Check Point will improve their QA testing.