topic Re: Protocol violation sig_id in General Topics

Protocol violation sig_id

Paul_Warnagiris — Tue, 29 Oct 2019 11:52:49 GMT

Good Morning,

I'm seeing some random protocol violation messages in one of my customer's logs and I'm trying to figure out what is going on. This particular message is Firewall - Protocol violation detected with protocol:(NTP-UDP), matched protocol sig_id:(9), violation sig_id:(12). (500). Is there a place to see what violation sig_id:12 or matched protocol sig_id:9 is referring to?

This is not in relation to something not working correctly, just a review of log ALERTS and I want to be able to explain it or eliminate it.

Thanks,
Paul

Re: Protocol violation sig_id

G_W_Albrecht — Tue, 29 Oct 2019 12:07:26 GMT

The error message Firewall - Protocol violation detected with protocol:(NTP-UDP) points to an access rule with that predefined service used.

sig_id seems not to be specific for the service, see sk162012 After upgrading Security Gateway from R77.30 to R80.20, ftp-traffic from some Linux-FTP-clients is blocked:

After upgrading Security Gateway from R77.30 to R80.20, ftp-traffic from some Linux-FTP-clients is blocked.
Log entry may show - "Protocol violation detected with protocol:(FTP), matched protocol sig_id:(9), violation sig_id:(20)"

Re: Protocol violation sig_id

HeikoAnkenbrand — Tue, 29 Oct 2019 12:27:29 GMT

Re: Protocol violation sig_id

Paul_Warnagiris — Tue, 29 Oct 2019 14:36:17 GMT

I saw this SK you mention when I was searching. There is not really anything that is breaking per se. Its just making a mess of the logs because there are a bunch of "alerts." In fact they are not even drops. We just have a routine that reports on all of the "alerts" and then I have to sift through these protocol violations. Do you know how to fix it? Is it something I have to do in the rulebase? OR is there a way to stop alerting on it since they are allows? I just don't want to stop alerting on something that is worthwhile in order to cut down on noise. I could easily just not log everything and that would get rid of the noise 🙄 For the most part its UDP4500 and 500 as well as 443/128/25, etc, but then if I eliminate them from the log view there are a bunch of random HO ports with "protocol unknown" in the protocol field.

Re: Protocol violation sig_id

genisis__ — Thu, 05 Nov 2020 11:47:36 GMT

I see something similiar:

Firewall - Protocol violation detected with protocol:(DNS-UDP), matched protocol sig_id:(1), violation sig_id:(12). (500)

The traffic is allowed but is alerting. If this is not cause for concern how can we stop this from happening?

I could not find anything on Support site for this.

Re: Protocol violation sig_id

Jan_Kleinhans — Tue, 02 Feb 2021 07:39:46 GMT

Hello,

did you found a workaround for this messages? We have the same problem with UDP 500. Voice Over WIFI seems to use this port.

Best regards,

Jan

Re: Protocol violation sig_id

Paul_Warnagiris — Tue, 02 Feb 2021 22:06:12 GMT

I have not found a way to easily eliminate the noise unless you filter out through a repot in SmartEvent. Or filter out in the logs view, but as I stated you may then filter out pertinent information that you want to see. As for logs themselves though its very annoying and the premium that it costs with exponential amount of logs in R80 makes it a challenge. If anyone comes up with a work around please add to the thread.

Re: Protocol violation sig_id

genisis__ — Wed, 03 Feb 2021 09:01:50 GMT

Not found a way either, it would be useful if Checkpoint can offer a solution for this.

Re: Protocol violation sig_id

_Val_ — Wed, 03 Feb 2021 09:34:37 GMT

I can see that sk81320 related change helps resolving this issue. If you are unsure what to do, please open a case with TAC

Re: Protocol violation sig_id

Jurgen — Tue, 20 Apr 2021 08:52:32 GMT

Hi Checkpoint advised me to use sk114917 ....worked for me

Firewall - Protocol violation detected with protocol (SMTP) .....etc..etc....ect.....