This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fjulianom
Advisor
‎2023-03-10 03:14 AM

Syslog packets dropped by IPS

Hi mates,

 

I have a problem with the IPS. I have configured the SMS to send logs to a SIEM server, and the IPS started blocking the syslog packets. So I added an exception defining the source, destination and service, and I tried with "Apply on the matched rule" and "Add to global exception group (apply on all rules)", and neither of them works, I still see this logs:

[Expert@fw1:0]# fw ctl zdebug + drop | grep "192.168.1.8"
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;

I have only seen this post with no solution

https://community.checkpoint.com/t5/Threat-Prevention/fw-spii-execute-inspections-Reason-spii-inspec...

Any ideas?

 

Regards,

Julián

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2023-03-10 03:53 PM

What is the precise log card for this?
Please post with sensitive data redacted.

In any case, you can try and disable the "Cisco IOS IPv4 Denial of Service" protection as mentioned here: https://support.checkpoint.com/results/sk/sk61542
Otherwise, I recommend a TAC case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events