Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fjulianom
Advisor

Syslog packets dropped by IPS

Hi mates,

 

I have a problem with the IPS. I have configured the SMS to send logs to a SIEM server, and the IPS started blocking the syslog packets. So I added an exception defining the source, destination and service, and I tried with "Apply on the matched rule" and "Add to global exception group (apply on all rules)", and neither of them works, I still see this logs:

[Expert@fw1:0]# fw ctl zdebug + drop | grep "192.168.1.8"
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;
@;1786452969;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=17 192.168.100.132:9271 -> 192.168.1.8:514 dropped by fw_spii_execute_inspections Reason: spii inspection matrix drop;

I have only seen this post with no solution

https://community.checkpoint.com/t5/Threat-Prevention/fw-spii-execute-inspections-Reason-spii-inspec...

Any ideas?

 

Regards,

Julián

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

What is the precise log card for this?
Please post with sensitive data redacted.

In any case, you can try and disable the "Cisco IOS IPv4 Denial of Service" protection as mentioned here: https://support.checkpoint.com/results/sk/sk61542
Otherwise, I recommend a TAC case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events