topic Re: IPS Exceptions not being applied over VPN in Spark Firewall (SMB)

IPS Exceptions not being applied over VPN

Steve_Parry — Sat, 01 Aug 2020 11:43:37 GMT

Hello, I've had a dig around and looked at a few post about this and none have resolved my issue.

We have a Locally Managed Check Point 1550 Appliance running firmware version is R80.20.05 (992001208).

Threat protection blades are enabled an up to date. When I VPN into our office and access our Twiki site from my PC over RDP we get no issues navigating around, however, if we attempt to edit any content we get an access denial, which we dont see when in the office or if I access directly from a laptop connected to the gateway over VPN .

--------------------------------

Your access is denied

Your access is

denied

Access denied due to firewall policy violation

Your issue ID for support is: 5f254cd8-2-823b977f-c0000002

--------------------------

I have added an exception (see attached file) which has the source as our /24 subnet and have tried with destination being the single IP, the Subnet the twiki is on (Twiki is on EC2 in AWS) and to Any.

I have even tried disabling the IPS and overridding the Command Injection IPS to be Detect vs Prevent. Nothing changes.

Hopefully the Guru's here can help.

Regard

Steve

Re: IPS Exceptions not being applied over VPN

PhoneBoy — Sat, 01 Aug 2020 18:08:31 GMT

When you say “our /24 subnet” what precisely does that refer to?
Can you also post the precise log card shown for the drop (redacting sensitive data)?

Re: IPS Exceptions not being applied over VPN

Steve_Parry — Sun, 02 Aug 2020 09:04:26 GMT

Thanks for the prompt reply.

By “our /24 subnet” I meant the source in the rule is a Network Object that is our office subnet xxx.xxx.21.0/255.255.255.0.

I had thought I had attached the error. But I have now see attached file p3.png.

Re: IPS Exceptions not being applied over VPN

Tom_Hinoue — Sun, 02 Aug 2020 12:43:16 GMT

I think there is an known issue that IPS exception rules doesn't work properly for specific pre-installed IPS protections (Command Injection/Max Ping Size etc.) until R80.20.05.
(For downloaded IPS signatures, exceptions rules should work)

Can you see if the issue resolves with the latest GA firmware R80.20.10 Build 992001433? I believe the issue is fixed here.

Re: IPS Exceptions not being applied over VPN

Steve_Parry — Mon, 03 Aug 2020 10:19:37 GMT

Thanks Tom, may be a silly question but where do I find that version? When I check for updates on the appliance it says I am up to date. If I click the update manually button, I am directed to a page where I can download R75 and R77 versions but no R80 ones.

Steve

Re: IPS Exceptions not being applied over VPN

Tom_Hinoue — Mon, 03 Aug 2020 13:30:57 GMT

Hi Steve,

You can find the firmware download link from below.

R80.20.10 for Small and Medium Business Appliances
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk167012

The reason why the firmware is not downloadable from the appliance WEB UI, is because the firmware is not yet available in the upgrade servers.
Usually new firmware is gradually deployed to the upgrade servers, after the version is widely adopted.
So for now, you will have to manually upgrade it with the image file available in the SK.

Hope it helps.

Re: IPS Exceptions not being applied over VPN

Steve_Parry — Mon, 03 Aug 2020 14:20:01 GMT

Thanks Tom, that makes sense. I've downloaded that and will arrange an out of hours upgrade.

Thanks for all your help.

Steve

Re: IPS Exceptions not being applied over VPN

Steve_Parry — Sat, 22 Aug 2020 10:52:36 GMT

Apologies for the delay, but I've not been able to get into the office until today to apply the firmware updated ( now at R80.20.10 (992001433)

Obviously I have missed something in the Exception setup. From the Treat Prevention section I have added exceptions for our two subnets 192.168.21.0/24 and 192.168.25.0/24 (192.168.25.0 is our VPN/Branch subnet and 192.168.21.0/24 is the office subnet) however when I attempt to edit our Twiki page, either while on the VPN from my laptop or from an RDP session I get the error and can see the action is prevented in the log (Screenshot 2020-08-20 at 07.31.20).

Any help on this would be much appreciated.

Tried to send this earlier but it didnt save.

Steve

Re: IPS Exceptions not being applied over VPN

pedro_filipe — Fri, 15 Dec 2023 10:30:12 GMT

Hey,

Did you find a way to bypass this problem? I have the same problem in a much recent version R81.10.05

Regards

Re: IPS Exceptions not being applied over VPN

G_W_Albrecht — Fri, 15 Dec 2023 12:23:57 GMT

That was posted more than 3 years ago...

Re: IPS Exceptions not being applied over VPN

luk89as — Fri, 15 Dec 2023 14:14:21 GMT

I will surprise you but I also have problems with CP1550 and Microsoft RDP.

I have people in my office who work remotely on a local Windows Server.

The client computers and the server are on the same subnet 192.168.1.0/24

When establishing an RDP connection it takes significantly longer than usual.

Once logged in, the session is very slow. It looks as if the server is loaded at 100%. but this is not the case. Programs do not start or start after a few minutes. Check Point CPU load at about 35-50% (ripples) RAM about 1.3 to 1.5GB (ripples).

Only disabling IPS, AV, SPAM module set helps. Looks like a problem with the IPS.

The problem occurs inside the local network + remotely via VPN.

Sof version: R81.10.08 (996001608)

The problem has been occurring for several days. Previously, everything was working. Adding servers ora computers to exceptions doesn't do anything as if it doesn't apply them.

I'm wondering whether to restore factory settings and configure everything from the beginning.

Re: IPS Exceptions not being applied over VPN

pedro_filipe — Fri, 15 Dec 2023 14:42:19 GMT

HeyG_W_Albrecht,

I know this post have more than 3 years, but funny enough it seems that the problem is still present in recent versions.
Trying to understand what can i do to bypass this problem.

Regards,

Re: IPS Exceptions not being applied over VPN

pedro_filipe — Fri, 15 Dec 2023 15:55:19 GMT

Hey Lu89as,

Just found out this is a limitation on Locally managed SMB and the VPN traffic is treated as Internal traffic... SK177063
If you want o create an exception you should create one Global exception, for example in my case:

Source: Any

Destination: Site IP

Protection: Command Injection

Service: ANY

Action: Inactive

Hope this helps...
Regards,

Re: IPS Exceptions not being applied over VPN

Gaurav_Pandya — Thu, 16 Jan 2025 12:01:51 GMT

Hi Mates,

We are facing same issue with R81.10.10. Configured global exception but no luck.

Any solution?

Re: IPS Exceptions not being applied over VPN

Timothy_Hall — Thu, 16 Jan 2025 13:41:23 GMT

On regular (non SMB/Spark) gateways, the protection Command Injection is a Core Protection. To create an exception for these you don't create it on the Threat Prevention exceptions screen (those are only for IPS ThreatCloud Proections and the other 5 TP blades), you need to go to the Command Injection protection itself (or any other Core Protection) and add the exception there. Core Protections have their own separate profile and exception mechanism, but this may be different on SMB/Spark embedded Gaia appliances.

Re: IPS Exceptions not being applied over VPN

Gaurav_Pandya — Thu, 16 Jan 2025 13:56:11 GMT

Thanks Tim for the response.

There is no option to create exception in protection.

Re: IPS Exceptions not being applied over VPN

Gaurav_Pandya — Tue, 28 Jan 2025 07:56:50 GMT

Hi All,

You need to put specific protection in global exception rule to make it work. I was testing with "Any" protection in exception rule.

Issue is resolved after applying specific protection (Command Injection in my case) in exception rule