Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FireMage
Contributor
Jump to solution

SDT_asm_dynamic_prop_... - in profiles ...

hello everyone,

I have a problem with the profiles in Threat Prevention under Custom Policy. I created a profile some time ago: ‘JMC only IPS’. I have now removed the profile from all (known) locations. when I display a ‘Where Used’, I can see that this profile still exists in 2 objects:

SDT_asm_dynamic_prop_SSL_BF_DOS_JMC only IPS_attribs
SDT_asm_dynamic_prop_UDP_BF_DOS_JMC only IPS_attribs

 

screenshot-3-3.jpg

It is not listed anywhere else, not under Policies or Legancy objects. Only under Objects.

I have no idea where to find them or what they do. I just want to delete the profile, but I can't do that.

strangely enough, i sometimes find entries in the logs that refer to this profile. for example in a log under ‘Protection Name: Non Compliant DNS’. when i look at the rules in the inspection settings, however, i cannot determine which profile is the basis anywhere. i have also already checked all other settings such as the layers, etc.

I have another profile with the same values, but it is being used.

Can anyone help me here?

thx

jeff

0 Kudos
1 Solution

Accepted Solutions
FireMage
Contributor
0 Kudos
6 Replies
Tal_Paz-Fridman
Employee
Employee

The protections in question are (what you've seen are the internal names):

Web Servers UDP Flooding Denial of Service
Web Servers SSL Flooding Denial of Service

Check to see if the Profile is somehow still active in each protection.

 

(1)
FireMage
Contributor

hello,

unfortunately that wasn't it. but you've given me an idea. i'm going to reactivate the profile and then switch off all the active rules manually. let's see if that helps.

thanks
jeff

0 Kudos
FireMage
Contributor

hello,

too bad, the idea was good but it didn't help. all ips and core rules for the profile are now inactive. nevertheless, the entries are still there.

but if i think about these entries, then the BF_DOS could stand for ‘Brute Force’ and ‘Deny Of Service’.

but that doesn't help me at the moment.

thanks
jeff

0 Kudos
Tal_Paz-Fridman
Employee
Employee

You're probably right but as I wrote these are just the internal name for the following IPS Protections:

Web Servers UDP Flooding Denial of Service
Web Servers SSL Flooding Denial of Service

 

They are somehow still referenced.

You might want to look for your Profile name using the Database Tool (GUiDBedit). I advise not making any changes yourself,  instead open support ticket with TAC:

https://support.checkpoint.com/results/sk/sk13009

 

0 Kudos
FireMage
Contributor

hello,

ok, this will probably be a TAC. i have now deactivated everything. i have even switched off the ips in the profile so that no blade is active any more. i have also removed the profile from the policy.

i have looked at everything with GUiDBedit and there are entries exactly in the web servers ... flooding are present.

but it gets even better: after a restart i still get entries in the log with the profile ‘jmc only ips’. especially e.g. with squence verifier messages.

but the profile is no longer in use and everything is switched off.

thank's
jeff

0 Kudos
FireMage
Contributor

Hello @All

 

I found the solution: https://support.checkpoint.com/results/sk/sk171494

 

thx

jeff

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events