This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_Hoff
Contributor
‎2021-12-06 02:07 PM

messages log error for https inspection

Hello,

Has anyone ever seen in their /var/log/messages file the following:

[ERROR]: nrb_rb_https_inspection_get_possible_blades: rulebase structure is corrupt   (null)

I am seeing these at the kernel on different firewall workers, and will usually have a connection from an internal IP to an external IP on either port 80 or 443 associated with the line. 

Wondering if anyone else has ran into this, and if there was a fix. This is in an R80.40 with JHFA 118. 

 

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2021-12-06 08:12 PM

I actually remember customer contacting me about this exact message and TAC said to install jumbo 120 and they went away after that. I never really got an explanation what those messages even mean, which would have been nice. O well 🙂

0 Kudos
James_Moler
Explorer
‎2021-12-08 11:38 AM
In response to the_rock

We're on R80.40 T125 and seeing these messages. 120 has some CPU issues with processes spinning out of control so we went to 125.

0 Kudos
_Val_
Admin
Admin
‎2021-12-06 11:35 PM

Please take it with TAC.

0 Kudos
kbleb
Explorer
‎2021-12-09 10:35 AM
In response to _Val_

Also seeing on T125. It is associated with connectivity issues. We also see a lot of logs with https action of "error" and users get "site not responding"

0 Kudos
the_rock
Legend
Legend
‎2021-12-09 10:38 AM
In response to kbleb

Hm...maybe my customer got lucky in their case, but I agree with you. It definitely appears it would be a bigger connectivity issue, for sure.

0 Kudos
kbleb
Explorer
‎2021-12-16 03:26 AM

In our case, these errors were concurrent with smartlog message "Internal system error in HTTPS Inspection due to categorization service error". Sometimes it would be the exact same source & destinations, other times the timing would be the same down to the second, but the src/dest would be different. Sometimes I also had /var/log/messages entries about corrupt https inspection policy for DNS traffic from VPN users to internal DNS (?).

TAC was telling me the https inspection policy must be corrupt, even though we hadn't changed anything and hey how can it be corrupt for one second every so many minutes, and not corrupt one second later, and how can setting categorization mode to background "uncorrupt" the https inspection policy?

Today I found new sk176925 about the related error which has cause: "Timeout occurs because the values configured in the $FWDIR/conf/rad_conf.C file on the Security Gateway do not match the environment."

I found we are indeed seeing the timeout errors mentioned in that SK so I will try out the settings.

Since we made no changes when this started on December 1st, and the issue is intermittent from second to second even, I am reading "timeouts do not match the environment" to mean "Checkpoint's categorization service is slow" and the solution will mask the fact that the service is slow, and if we put things back to "hold" mode then user experience will be however slow the categorization service is the first time someone in the org visits a particular website.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events