This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Martijn
Advisor
‎2019-01-23 03:37 AM

Endpoint Connect drops due to Malware

Hi All,

One of our customer is reporting problems with Endpoint Connect. Sometimes users cannot connect to the gateway and  sometimes the connection is lost.

This is very random because some users can stay connected for more than 5 hours while other users cannot connect at all.

We ran a 'fw  ctl zdebug' and noticed the connection is drop due to Malware. See below, where x.x.x.x is the client and y.y.y.y is the gateway.

fw ctl zdebug + drop | grep x.x.x.x
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51120 -> y.y.y.y:443 dropped by fw_handle_first_packet Reason: Anti Malware;
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51122 -> y.y.y.y.:443 dropped by fw_handle_first_packet Reason: Anti Malware;
;[vs_2];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:51124 -> y.y.y.y:443 dropped by fw_handle_first_packet Reason: Anti Malware;

We have a case with Check Point and they would like to run a kernel debug. Problem with this is, it causes outage on the network (heavy load on the firewall) and we do not know when the probem occurs.

Has anyone seen this before?

Customer is at VSX R80.10 Take 169.

Regards,

Martijn.

4 Replies
PhoneBoy
Admin
Admin
‎2019-01-25 08:36 PM

Ultimately a debug would be required to see why it is dropping in more detail.

Did you, by chance, try configuring (temporarily maybe) an exception in the relevant Threat Prevention policy?

0 Kudos
Martijn
Advisor
‎2019-01-27 03:26 AM
In response to PhoneBoy

Hi,

Yes, we created an exception in the Threat Prevention policy. 

At the top of the policy we created a rule with a Threat Prevention profile without AV, AB and IPS enabled and as destination the gateway.

This did not solve the problem. In the end, we had to disable AB completely. 

Maybe I can replicate the issue in my lab so we do not need to run a debug at the customer.  But we have many customers with Endpoint Connect and AB enabled and we do not see any issues there. So the chances are, I cannot replicate it at all.

And that means a debug at the customer.

Regards,

Martijn

0 Kudos
Martijn
Advisor
‎2019-02-14 11:35 AM

Hi,

Support gave us a R80.10 hotfix for the issue in sk123075 - Anti-Bot is dropping traffic although it is disabled.

We installed this fix today and now we wait to see if it resolves our issue.

Regards,

Martijn.

Martijn
Advisor
‎2019-03-05 07:10 AM

Hi,

Just an update for this issue.

We installed the hotfix, but I am sorry to say it did not solve our problem.

Sometimes VPN traffic (Endpoint Connect) is still dropped.

Customer has enabled AB again because it is more important to enable this security feature than people sometimes cannot connect or get disconnected.

Check Point support is now investigating again. Maybe the fix was not installed correctly (we did not see errors when installing the fix).

Keep you posted.

Regards,

Martijn.

0 Kudos