topic Re: Endpoint Connect drops due to Malware in Endpoint

Endpoint Connect drops due to Malware

Martijn — Wed, 23 Jan 2019 11:37:52 GMT

Hi All,

One of our customer is reporting problems with Endpoint Connect. Sometimes users cannot connect to the gateway and sometimes the connection is lost.

This is very random because some users can stay connected for more than 5 hours while other users cannot connect at all.

We ran a 'fw ctl zdebug' and noticed the connection is drop due to Malware. See below, where x.x.x.x is the client and y.y.y.y is the gateway.

fw ctl zdebug + drop | grep x.x.x.x
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51120 -> y.y.y.y:443 dropped by fw_handle_first_packet Reason: Anti Malware;
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51122 -> y.y.y.y.:443 dropped by fw_handle_first_packet Reason: Anti Malware;
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51124 -> y.y.y.y:443 dropped by fw_handle_first_packet Reason: Anti Malware;

We have a case with Check Point and they would like to run a kernel debug. Problem with this is, it causes outage on the network (heavy load on the firewall) and we do not know when the probem occurs.

Has anyone seen this before?

Customer is at VSX R80.10 Take 169.

Regards,

Martijn.

Re: Endpoint Connect drops due to Malware

PhoneBoy — Sat, 26 Jan 2019 04:36:33 GMT

Ultimately a debug would be required to see why it is dropping in more detail.

Did you, by chance, try configuring (temporarily maybe) an exception in the relevant Threat Prevention policy?

Re: Endpoint Connect drops due to Malware

Martijn — Sun, 27 Jan 2019 11:26:51 GMT

Hi,

Yes, we created an exception in the Threat Prevention policy.

At the top of the policy we created a rule with a Threat Prevention profile without AV, AB and IPS enabled and as destination the gateway.

This did not solve the problem. In the end, we had to disable AB completely.

Maybe I can replicate the issue in my lab so we do not need to run a debug at the customer. But we have many customers with Endpoint Connect and AB enabled and we do not see any issues there. So the chances are, I cannot replicate it at all.

And that means a debug at the customer.

Regards,

Martijn

Re: Endpoint Connect drops due to Malware

Martijn — Thu, 14 Feb 2019 19:35:17 GMT

Hi,

Support gave us a R80.10 hotfix for the issue in sk123075 - Anti-Bot is dropping traffic although it is disabled.

We installed this fix today and now we wait to see if it resolves our issue.

Regards,

Martijn.

Re: Endpoint Connect drops due to Malware

Martijn — Tue, 05 Mar 2019 15:10:31 GMT

Hi,

Just an update for this issue.

We installed the hotfix, but I am sorry to say it did not solve our problem.

Sometimes VPN traffic (Endpoint Connect) is still dropped.

Customer has enabled AB again because it is more important to enable this security feature than people sometimes cannot connect or get disconnected.

Check Point support is now investigating again. Maybe the fix was not installed correctly (we did not see errors when installing the fix).

Keep you posted.

Regards,

Martijn.