Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Mentor
Mentor
Jump to solution

IPS issue (R80.20) - cannot remove IPS blade from GW object

hi chaps

 

got an interesting one

 

1. object of the GW has IPS enabled, when trying to untick and disable it I cannot seem to save the changes as SmartConsole shout on me as following:

a. "Failed to save object "xxx". A blocking validation error was found: Field InstallTargetIds references invalid object

b. "The current changes to object "xxx" parameters are invalid and therefore will be discarded"

 

and that's all. when "a" occur the only way to move on is to click OK, when done "b" appears.

 

any idea what and why? literally nothnig has changed on that "StandAlone" Appliance since original install of R80.20.

 

ps. cpinfo -y all below (also see enclosed 1.png)

 

[Expert@xxx:0]# cpinfo -y all

This is Check Point CPinfo Build 914000190 for GAIA
[IDA]
No hotfixes..

[CPFC]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[MGMT]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[FW1]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

FW1 build number:
This is Check Point Security Management Server R80.20 - Build 007
This is Check Point's software version R80.20 - Build 047
kernel: R80.20 - Build 047

[SecurePlatform]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[CPinfo]
No hotfixes..

[DIAG]
No hotfixes..

[PPACK]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[CVPN]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[SmartLog]
No hotfixes..

[Reporting Module]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[CPuepm]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[VSEC]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[R77CMP]
HOTFIX_R80_20_JHF_COMP Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[R75CMP]
No hotfixes..

[NGXCMP]
No hotfixes..

[EdgeCmp]
No hotfixes..

[SFWCMP]
No hotfixes..

[FLICMP]
No hotfixes..

[SFWR75CMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPUpdates]
BUNDLE_CPINFO Take: 0
BUNDLE_R80.20_SC Take: 101
BUNDLE_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC Take: 73

Jerry
2 Solutions

Accepted Solutions
Timothy_Hall
Champion
Champion

Right-click on the gateway object and select "Where Used".  That should help you figure out where the reference to that object is that is blocking you.  My guess is you are referencing that particular gateway for "Install On" in a custom Threat Prevention rule, IPS ThreatCloud exception or possibly even a Core Activations exception.

Geo Policy is not part of IPS starting in R80 (and this feature is now deprecated) but there still may be some remaining hooks to IPS here as I sometimes still notice references to IPS in the logs for Geo Policy drops.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

the_rock
Legend
Legend

Thats pretty much how it works for any blade, if blade is NOT active, rules will never apply.

Andy

View solution in original post

0 Kudos
22 Replies
Tal_Paz-Fridman
Employee
Employee

Hi Jerry,

 

Please go over the Threat Prevention Policy rules [Security Policies > Threat Prevention > Each Threat Prevention Layer] and make sure the Security Gateway with the IPS blade is not directly selected as an Install On target.

If it is, try changing the Install On for each rule so that it is * Policy Targets and then try disabling the IPS blade.

 

HTH

Tal

Jerry
Mentor
Mentor

2.PNG

 

see below Tal. I have never had here any "targets" selected though I don't think this applies to my case.

Now the GW has IPS blade enabled, and after the complete reboot of the GW all seems just fine:

3.PNG

I have really no clue why I couldn't "deselect" blade on GW object and save it 1h ago.

Jerry
Wolfgang
Authority
Authority

Jerry,

that's magic. Maybee some earth rays or other things in the air are affecting the SMS..

I love our IT job, normally it consist of 0 and 1 but sometimes something between 😎 

Wolfgang

Tony_Graham
Advisor

I am also having problems disabling IPS. Exactly the same situation as the original poster.

 

0 Kudos
the_rock
Legend
Legend

I remember one time I had this problem ages ago, I changed something in Guidbedit to make it work, but it was more than 10 years ago, so definitely before R80 version. Can you send a screenshot?

Andy

0 Kudos
Tony_Graham
Advisor

pic1.png

pic2.png

0 Kudos
the_rock
Legend
Legend

I found some posts where it says to remove scheduled ips updates (if enabled) and also remove from here, IF its enabled

Andy

Screenshot_1.png

Tony_Graham
Advisor

I don't have anything under Install On other than 'Policy Targets'. Nothing specific. I unchecked IPS updates and now the entire dialog for IPS updates is gone (edit: It seems it changed the focus from Threat Prevention to Updates which is why it disappeared. I had to click back on Threat Prevention>Updates to get back to where I was.)

0 Kudos
Tony_Graham
Advisor

I have a Geo Policy defined but there is no way to tell it NOT to install on this device I am trying to remove IPS from without impacting the device I don't want to. I can 'view' the items under Gateways but you cannot manipulate them. So you cannot really say, hey don't push Geo Policy to X device, at least I don't know how you would do that. I believe Geo Policy is a part of IPS so that could be what is stopping it from being deactivated.

0 Kudos
PhoneBoy
Admin
Admin

Yes, the legacy GeoPolicy requires IPS.
See: https://support.checkpoint.com/results/sk/sk16921

From R80.20 and above, you can use Updatable Objects for various locations in your regular Access Policy.
This does not require IPS.

the_rock
Legend
Legend

I think what @Timothy_Hall gave makes total sense. Follow those instructions and let us know what gives.

Andy

Timothy_Hall
Champion
Champion

Right-click on the gateway object and select "Where Used".  That should help you figure out where the reference to that object is that is blocking you.  My guess is you are referencing that particular gateway for "Install On" in a custom Threat Prevention rule, IPS ThreatCloud exception or possibly even a Core Activations exception.

Geo Policy is not part of IPS starting in R80 (and this feature is now deprecated) but there still may be some remaining hooks to IPS here as I sometimes still notice references to IPS in the logs for Geo Policy drops.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Tony_Graham
Advisor

Under Objects there was IPS Scheduled Update. I had tried fussing with that earlier based on what Andy suggested,

so I went back and revisited it. I toggled it to 'install on specific' and 'back to Install' on all clicked okay.

Went back and tried to disable IPS and this time it worked. Yay team.

0 Kudos
the_rock
Legend
Legend

Good job @Tony_Graham 💪💪

0 Kudos
Tony_Graham
Advisor

So I have an unrelated, related question. If you push a policy that contains IPS, for instance you shotgun out a policy to all gateways, does CP know that since the blade isn't running on that device to just drop the rules or does it get the whole policy but just ignores the bits it cannot enforce. Is there a benefit to pushing different policies since the ruleset would be less complicated?

0 Kudos
the_rock
Legend
Legend

Thats pretty much how it works for any blade, if blade is NOT active, rules will never apply.

Andy

0 Kudos
Tony_Graham
Advisor

I assumed that but...you know about assumptions.

(1)
the_rock
Legend
Legend

Yea, I do know...heard that from a woman long time ago...a**...U...me 🤣🤣

Anyway, will go play some chess now, maybe beat FAKE Magnus Carlsen...aka Chat GPT chess player, where it teleports the queen from nowhere into 3rd dimension and bishop reappears from ancient times to save the game lol

Wolfgang
Authority
Authority

Jerry,

we had the same problem last month.

 

0 Kudos
TP_Master
Employee
Employee
Conclusion: Don't disable the IPS blade.

Why would you even want to do that? 🙂
Jerry
Mentor
Mentor
neva! 😛
Jerry
0 Kudos
Amit_Koren
Participant

I needed to disable IPS according to sk163752

I did not have a target in the Install On column of the Threat Prevention policy.

For me, the issue was that the gateway was selected under automatic install after IPS update.

I had to remove the gateway, install database and only then i could uncheck the IPS blade.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events