Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Employee Employee
Employee

IOC feed stops working after TP policy install R80.40

Just wondering if anyone else seen this weird behaviour.  And funny enough it only happens in one cluster - others with similar setup do not experience the same problem. 

GW is running R80.40 T156 and we are using IOC feed configured in CLI. After enabling feed all works as expected. But as soon as we push TP policy, feed stops working (meaning users can access sites that should be blocked). If we inactivate/activate feed, it works again - sites are being blocked. Access policy install does not affect it.

We tried:

  • upgrading to T156 from T139
  • changing enforcement balde AB <> AV
  • reduced the list to one entry

But still no joy.

The only suspect could be EVAL (valid) license but that's a very long shot.

Debugging with $FWDIR/bin/ioc_feeder -d -f did not produce any valuable info in log files.

Logs just show accept on access policy but nothing from TP poplicy layer

 

3 Replies
Tobias_Moritz
Advisor

Good catch! Hard to find, when not tested explicitly, because there is no error message anywere in that case.

I could replicate this on R80.40 JHFT156 as well. However, when I wait until the next regular scheduled ios_feeder run is finished, my test site gets blocked again.

So for me:

  1. feed is working.
  2. TP Policy installed.
  3. feed is not working (at least not enforced - there is no error message)
  4. next scheduled ioc_feeder run is finished (in my case about 15 minutes after TP policy installation)
  5. feed is working again.

Can you verify if the behavior is the same on your side? Have you opened a TAC case yet?

Kaspars_Zibarts
Employee Employee
Employee

Thanks Tobias for checking! Really appreciated!

I'm afraid in our case it remains permanently OFF. Until I manually stop/start IOC feed using state option, i.e.

ioc_feeds modify --feed_name blacklist --state false

ioc_feeds modify --feed_name blacklist --state true

The only strange debug log generated after policy push is this one

image.png

 

Looks like TAC case for me. But yours is not good either! When you have protection off for 15mins! 🙂

0 Kudos
Tobias_Moritz
Advisor

Okay, so we have different symptoms. I also do not have any error message in debug log.

Your case definitly sounds like TAC-worthy but I agree, that mine is also not okay. Although its 5 minutes and not 15 (was a mistake from me to say so), this should not happen. I think I will also open a TAC case for that.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events