Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

Jump to solution

zdebug drop shows errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER and https sites were not working on several environments due to IPS protection "openssl padding oracle information disclosure" that was updated on 7/8/2020.

Disabling this protection resolves the issue.

1 Solution

Accepted Solutions
Highlighted
Admin
Admin

IPS update has been replaced. It is now safe to update.

View solution in original post

14 Replies
Highlighted
Admin
Admin

"zdebug" is a macros that only sends debug flags to fw module, if used without additional efforts, as "fw ctl zdebug drop". In R80.x fw module does not do much. You need to debug KISS and UP.

It is better to involve TAC in your case.

0 Kudos
Reply
Highlighted
Collaborator

Thanks for this - got several customers affected by this.  Can confirm that disabling the protection restores internet access.

0 Kudos
Reply
Highlighted
Admin
Admin

Please raise TAC case for this, thanks

0 Kudos
Reply
Highlighted
Collaborator

Hi All,

Have engaged TAC - but also received the following update from my CP SE:

The problematic updates are:
634204548 or 635204548

The impact:
- After IPS update, many drops observed (via fw ctl zdebug + drop on CLI)
dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
- The following may be seen in /var/log/messages:
kernel: [fw4_4];ips_gen_dyn_log: malware_policy_global_send_log() failed
- High CPU utilization and traffic impact

Short term remediation:
1. Re-enable IPS on the gateway object if it was disabled as a workaround.

2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)
a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"

3. Revert to previous good IPS database update
a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option

4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.

Best practices for updates and IPS implementation:
This document (while it is specified for R80.10, it is still relevant for newer versions) contains our best practices recommendations about IPS profile implementation, and update best practices. https://sc1.checkpoint.com/documents/Best_Practices/IPS_Best_Practices/CP_R80.10_IPS_Best_Practices/...

Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway:
fw ctl set int tls_parser_enable 0

0 Kudos
Reply
Highlighted

We were facing this issue at a customers installation today as well.
After opening sr we got update, that IPS versions 634204548 or 635204548 are affected. We reverted to 635204525 and the issue persisted.

As we did not want to try and error we now have disabled this protection and now the issue is gone for now.

Now we're waiting for the next update (and reply from sr owner)

and now to something completely different
0 Kudos
Reply
Highlighted
Admin
Admin

Hello, we are aware of the issue and are working to provide a fix for it.

Meanwhile, if you are affected, please use the following steps for short term remediation:


1. Re-enable IPS on the gateway object if it was disabled as a workaround.

2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)

a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"

3. Revert to previous good IPS database update

a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option

4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.

 

Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway:

fw ctl set int tls_parser_enable 0

 

0 Kudos
Reply
Highlighted
Champion
Champion

🤐

0 Kudos
Reply
Highlighted
Contributor

I am also facing the same issue after active the OpenSSL Padding Oracle Information Disclosure (CVE-2016-210).

After disabling this protection resolves the issue.

 

Regards,

R.B

0 Kudos
Reply
Highlighted
Admin
Admin

IPS update has been replaced. It is now safe to update.

View solution in original post

Highlighted
Contributor

Hello

First question: in which package is the IPS protection CPAI-2016-0349 updated and fixed?

Second question: why is not an official advisory regarding this issue? Impact has been huge

Regards

Highlighted
Participant

Anyone having this update propagate?

I'm mashing update and still 635204548.

0 Kudos
Reply
Highlighted
Collaborator

Just FYI

Due to the high performance impact this will affect customers with a "strict" or custom IPS profile only:

 

image.png

 

Oddly enough my colleague's lab system has this very protection as "low confidence"

 
0 Kudos
Reply
Highlighted
Advisor

Yeah, that was a nasty one.

0 Kudos
Reply
Highlighted
Champion
Champion

Check Point has finally released sk167939 which describes the issue and solution.
It also outlines that Check Point will improve their QA testing.

0 Kudos
Reply