Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paul_Warnagiris
Collaborator

Protocol violation sig_id

Good Morning,

I'm seeing some random protocol violation messages in one of my customer's logs and I'm trying to figure out what is going on.    This particular message is Firewall - Protocol violation detected with protocol:(NTP-UDP), matched protocol sig_id:(9), violation sig_id:(12). (500).  Is there a place to see what violation sig_id:12 or matched protocol sig_id:9 is referring to?  

This is not in relation to something not working correctly, just a review of log ALERTS and I want to be able to explain it or eliminate it.

Thanks,
Paul

0 Kudos
9 Replies
G_W_Albrecht
Legend
Legend

The error message Firewall - Protocol violation detected with protocol:(NTP-UDP) points to an access rule with that predefined service used.

sig_id seems not to be specific for the service, see sk162012 After upgrading Security Gateway from R77.30 to R80.20, ftp-traffic from some Linux-FTP-clients is blocked:

0 Kudos
Paul_Warnagiris
Collaborator

I saw this SK you mention when I was searching.  There is not really anything that is breaking per se.  Its just making a mess of the logs because there are a bunch of "alerts."  In fact they are not even drops.  We just have a routine that reports on all of the "alerts" and then I have to sift through these protocol violations.  Do you know how to fix it?  Is it something I have to do in the rulebase?  OR is there a way to stop alerting on it since they are allows?  I just don't want to stop alerting on something that is worthwhile in order to cut down on noise.  I could easily just not log everything and that would get rid of the noise 🙄  For the most part its UDP4500 and 500 as well as 443/128/25, etc, but then if I eliminate them from the log view there are a bunch of random HO ports with "protocol unknown" in the protocol field.

 

Picture1.png

0 Kudos
HeikoAnkenbrand
Champion
Champion

More to log fields read here:

SK144192 - Log Fields Description 

The signatures are used by the PSL. Unfortunately there is no list for the protocols here.

matched protocol sig_id:(9)   = FTP
violation sig_id:(12)                 = ?

For PSL more read here:  

R80.x - Security Gateway Architecture (Content Inspection)

0 Kudos
genisis__
Advisor

I see something similiar:

Firewall - Protocol violation detected with protocol:(DNS-UDP), matched protocol sig_id:(1), violation sig_id:(12). (500)

The traffic is allowed but is alerting.  If this is not cause for concern how can we stop this from happening?

I could not find anything on Support site for this.

0 Kudos
Jan_Kleinhans
Collaborator

Hello,

did you found a workaround for this messages? We have the same problem with UDP 500. Voice Over WIFI seems to use this port.

 

Best regards,

Jan

0 Kudos
Paul_Warnagiris
Collaborator

I have not found a way to easily eliminate the noise unless you filter out through a repot in SmartEvent.  Or filter out in the logs view, but as I stated you may then filter out pertinent information that you want to see.  As for logs themselves though its very annoying and the premium that it costs with exponential amount of logs in R80 makes it a challenge.  If anyone comes up with a work around please add to the thread.

0 Kudos
genisis__
Advisor

Not found a way either, it would be useful if Checkpoint can offer a solution for this.

0 Kudos
_Val_
Admin
Admin

I can see that sk81320 related change helps resolving this issue. If you are unsure what to do, please open a case with TAC

0 Kudos
Jurgen
Explorer

Hi Checkpoint advised me to use sk114917 ....worked for me 

Firewall - Protocol violation detected with protocol (SMTP) .....etc..etc....ect.....

0 Kudos