https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236438#M63609 <P>It's possible the UUID actually corresponds to an object with the same ID.<BR />You can check that with mgmt_cli -r true show host uid xxxx<BR />Unfortunately, I don't believe this is something you can change...confirm with TAC.</P> <P>Also, this statement seems contradictory:&nbsp;<SPAN>When scanning with Zmap, IPS detects Port Scan (Host Port Scan or Sweep Scan depending on scan settings) and does not catch Zmap.<BR />Can you elaborate, perhaps with a more precise example?</SPAN></P> Thu, 19 Dec 2024 21:09:43 GMT PhoneBoy 2024-12-19T21:09:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/235991#M63608 <P>Hello, everyone.</P><P>A client has asked with a problem:<BR />When receiving a Zmap scan email notification, the email displays uuid instead of source ip. In SmartConsole logs, the ip address is displayed correctly. For other alerts, full information including ip is also displayed. The mail notification is configured via internal_sendmail.<BR />I would like to clarify why this is happening and is it possible to change this?</P><P>I am also unable to reproduce this problem in the test lab. When scanning with Zmap, IPS detects Port Scan (Host Port Scan or Sweep Scan depending on scan settings) and does not catch Zmap. What could this be related to?</P> Tue, 17 Dec 2024 11:52:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/235991#M63608 gilyazovamir 2024-12-17T11:52:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236438#M63609 <P>It's possible the UUID actually corresponds to an object with the same ID.<BR />You can check that with mgmt_cli -r true show host uid xxxx<BR />Unfortunately, I don't believe this is something you can change...confirm with TAC.</P> <P>Also, this statement seems contradictory:&nbsp;<SPAN>When scanning with Zmap, IPS detects Port Scan (Host Port Scan or Sweep Scan depending on scan settings) and does not catch Zmap.<BR />Can you elaborate, perhaps with a more precise example?</SPAN></P> Thu, 19 Dec 2024 21:09:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236438#M63609 PhoneBoy 2024-12-19T21:09:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236769#M63610 <P>Thank you for your reply,</P><P>Yes, there is indeed such an object. So that's why the uid comes in the alert?</P><P>Regarding the reproduction of the zmap problem. On test lab I'm scanning internal and external gateway networks from linux server with zmap. In IPS logs, Port Scan is detected but CPAI-2016-0215 (ZMap Security Scanner) is not detected. I want to understand what is needed for the gateway to detect this attack as a Zmap attack and not just a Port Scan.</P> Tue, 24 Dec 2024 06:32:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236769#M63610 gilyazovamir 2024-12-24T06:32:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236822#M63611 <P>That would be the logical explanation for this behavior, yes.</P> <P>As for the question on detecting as Zmap, we don't release details on how our IPS signatures work.<BR />Having said that, if you don't think it's being detected properly, that will need to be addressed through TAC.</P> Tue, 24 Dec 2024 21:53:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236822#M63611 PhoneBoy 2024-12-24T21:53:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236838#M63612 <P>So the only solution is to delete the object? Or is there some other option?</P> Wed, 25 Dec 2024 06:31:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236838#M63612 gilyazovamir 2024-12-25T06:31:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236902#M63613 <P>As I said initially, you should check with TAC.<BR />It's not behavior I've seen before and it might actually be a bug.<BR />I suspect deleting the object will resolve the issue in the meantime.</P> Thu, 26 Dec 2024 17:37:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/uuid-instead-of-ip-in-the-mail-alert/m-p/236902#M63613 PhoneBoy 2024-12-26T17:37:49Z