This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
zhangchuang
Contributor
‎2026-03-18 03:26 AM

R81.20 IPS Log Parsing Bug: Multiple Real Source IPS Displayed as 0.0.127.190

Hi Check Point Community,

We encountered a consistent log parsing issue on our R81.20 gateway (Build: XXX, Jumbo Hotfix: XXX):

### Symptom:
- Multiple legitimate internal source IPs (e.g., 10.108.12.10, 10.108.11.16) are **all incorrectly displayed as 0.0.127.190** in SmartConsole Logs & Monitor.
- The affected traffic is Nessus Security Scanner detections (IPS blade, "Scanner Enforcement Violation" protection).
- Only the timestamp varies between logs; all other fields (destination IP: 10.108.40.51, service: TCP/59302, protection name) are identical.

### Verification with Packet Capture:
- When we export the packet capture from the affected log, the **real source IP in the pcap is correct** (e.g., 10.108.12.10), not 0.0.127.190.
- This confirms the traffic itself is valid; the bug is in log parsing/display.

### Questions:
1. Is this a known issue in R81.20? Are there any related Jumbo Hotfixes to resolve this log parsing bug?
2. Could this be related to SecureXL acceleration or IPS signature parsing for Nessus scans?
3. Are there any temporary workarounds to display the correct source IP in logs while we wait for a fix?

Thanks in advance for any insights or guidance!

Preview file
57 KB
Preview file
178 KB
Preview file
245 KB
0 Kudos
4 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2026-03-18 05:02 AM

Why did you exclude the Jumbo HFA you are running from your post?  This may be related and fixed in a Jumbo HFA: sk182386: IPS log entries may be missing "source" and "destination" fields

As shown in one of your screenshots, log suppression is active because multiple logs are being generated for this event.  This may be causing the effect you are seeing.  You can try disabling log suppression on the gateway as a workaround, but be warned, this will significantly increase the logging load on the gateway:  sk115876: Some fields are missing from IPS or Threat Prevention logs

For more information about Threat Prevention log suppression, please see my Max Gander CPX speech.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
zhangchuang
Contributor
‎2026-03-18 07:52 PM
In response to Timothy_Hall

Hi Timothy_hall,
Thank you very much for the explanation.
This makes perfect sense.

The issue:
- Multiple real internal source IPs (10.108.x.x) are incorrectly shown as 0.0.127.190 in logs.
- When checking packet capture from the log, the real source IP is correct.
- The problem occurs randomly and cannot be reproduced manually, which matches IPS log suppression behavior.

We will try disabling IPS log suppression first to verify.
Since this gateway is R81.20, we also suspect the bug sk182386.

Thanks again for your help!

0 Kudos
Jarvis_Lin
Collaborator
‎2026-03-19 09:40 AM
In response to zhangchuang

sk182914?

0 Kudos
zhangchuang
Contributor
‎2026-03-19 06:47 PM
In response to Jarvis_Lin

Hi Jarvis_Lin,
Thank you very much!
This sk182914 is exactly matching our issue:
- IPS logs show source IP 0.0.127.190
- Real source IP is correct in packet capture
- Random occurrence, cannot reproduce manually

This is the official bug for R81.20 / R82 fixed in Jumbo Hotfix.
We will apply the fix or use the workaround.
Greatly appreciate your help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events