- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hi All,
One of our customer is reporting problems with Endpoint Connect. Sometimes users cannot connect to the gateway and sometimes the connection is lost.
This is very random because some users can stay connected for more than 5 hours while other users cannot connect at all.
We ran a 'fw ctl zdebug' and noticed the connection is drop due to Malware. See below, where x.x.x.x is the client and y.y.y.y is the gateway.
fw ctl zdebug + drop | grep x.x.x.x
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51120 -> y.y.y.y:443 dropped by fw_handle_first_packet Reason: Anti Malware;
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51122 -> y.y.y.y.:443 dropped by fw_handle_first_packet Reason: Anti Malware;
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51124 -> y.y.y.y:443 dropped by fw_handle_first_packet Reason: Anti Malware;
We have a case with Check Point and they would like to run a kernel debug. Problem with this is, it causes outage on the network (heavy load on the firewall) and we do not know when the probem occurs.
Has anyone seen this before?
Customer is at VSX R80.10 Take 169.
Regards,
Martijn.
Ultimately a debug would be required to see why it is dropping in more detail.
Did you, by chance, try configuring (temporarily maybe) an exception in the relevant Threat Prevention policy?
Hi,
Yes, we created an exception in the Threat Prevention policy.
At the top of the policy we created a rule with a Threat Prevention profile without AV, AB and IPS enabled and as destination the gateway.
This did not solve the problem. In the end, we had to disable AB completely.
Maybe I can replicate the issue in my lab so we do not need to run a debug at the customer. But we have many customers with Endpoint Connect and AB enabled and we do not see any issues there. So the chances are, I cannot replicate it at all.
And that means a debug at the customer.
Regards,
Martijn
Hi,
Support gave us a R80.10 hotfix for the issue in sk123075 - Anti-Bot is dropping traffic although it is disabled.
We installed this fix today and now we wait to see if it resolves our issue.
Regards,
Martijn.
Hi,
Just an update for this issue.
We installed the hotfix, but I am sorry to say it did not solve our problem.
Sometimes VPN traffic (Endpoint Connect) is still dropped.
Customer has enabled AB again because it is more important to enable this security feature than people sometimes cannot connect or get disconnected.
Check Point support is now investigating again. Maybe the fix was not installed correctly (we did not see errors when installing the fix).
Keep you posted.
Regards,
Martijn.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY