cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Olga_Kuts
Silver

IPS drooped traffic without without specifying a protection name

We observe a strange log of IPS Blade, Gaia R80.10.
The name of the signature is not specified, from "Protection Details" we can see only Severity: Informational. But the action of this unknown protection is prevent, and we do not understand why traffic is dropped.
What could this mean? Can you explain, please?

0 Kudos
8 Replies

Re: IPS drooped traffic without without specifying a protection name

Can you post a screenshot of the dropped log entry?

0 Kudos
Olga_Kuts
Silver

Re: IPS drooped traffic without without specifying a protection name

Unfortunately, no. A lot of data will need to be drawn, the log after that will not be informative.

0 Kudos

Re: IPS drooped traffic without without specifying a protection name

Without seeing the contents of the drop, I'm not sure how helpful anyone can be here. Like Rick said below, it is probably related to a Core Protection drop instead of an IPS drop. The handling of these in R80.10 is a bit different than R77.30. I

You should be able to sanitize the screen shot of IP addresses and such and still have the drop log be relevant and helpful to this discussion. But that's up to you!

0 Kudos

Re: IPS drooped traffic without without specifying a protection name

Sorry, I also forgot to ask: How frequently are these drops happening? Is it easy to reproduce? 

0 Kudos
RickLin
Silver

Re: IPS drooped traffic without without specifying a protection name

I think it could be an protection listed in "Core Protection" or "Inspection Settings" profile.

0 Kudos

Re: IPS drooped traffic without without specifying a protection name

I was thinking the same thing because I ran into this a couple weeks ago and it was a little confusing to figure out where the drop was happening. 

0 Kudos
RickLin
Silver

Re: IPS drooped traffic without without specifying a protection name

As I known, IPS have three kinds of Protection Profiles in R80 age.

1.ThreatCloud Protections (Enforce Signatures or Pattern Match)

2.Core Protections(Enforce Protocol Parser)

3.Inspection Settings(low level enforcement engine)

ThreatCloud Protections is applied with Threat Prevention Policy.

Core Protections and Inspection Settings are applied with Access Control Policy.

Re: IPS drooped traffic without without specifying a protection name

If This Drop traffic is with particular source or destination IP then I would suggest to do fw ctl debug -m fw + drop with affected IP so that we can get some information and find right direction to look.