Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
AI & Machine Learning
We observe a strange log of IPS Blade, Gaia R80.10.
The name of the signature is not specified, from "Protection Details" we can see only Severity: Informational. But the action of this unknown protection is prevent, and we do not understand why traffic is dropped.
What could this mean? Can you explain, please?
Without seeing the contents of the drop, I'm not sure how helpful anyone can be here. Like Rick said below, it is probably related to a Core Protection drop instead of an IPS drop. The handling of these in R80.10 is a bit different than R77.30. I
You should be able to sanitize the screen shot of IP addresses and such and still have the drop log be relevant and helpful to this discussion. But that's up to you!
I was thinking the same thing because I ran into this a couple weeks ago and it was a little confusing to figure out where the drop was happening.
As I known, IPS have three kinds of Protection Profiles in R80 age.
1.ThreatCloud Protections (Enforce Signatures or Pattern Match)
2.Core Protections(Enforce Protocol Parser)
3.Inspection Settings(low level enforcement engine)
ThreatCloud Protections is applied with Threat Prevention Policy.
Core Protections and Inspection Settings are applied with Access Control Policy.
If This Drop traffic is with particular source or destination IP then I would suggest to do fw ctl debug -m fw + drop with affected IP so that we can get some information and find right direction to look.