Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Narsimha_Rao_Ko
Participant

Smart Event not generating events for IPS and Content Awareness

After I have upgraded the SMS and Gateway to R80.10, Smart Event is not generating the events for different IPS signatures.

It also doesn't have definition for Content Awareness. After I have created User defined event definition, there are some false events are getting generated and the genuine events doesn't list the "Data Type" filed which is essential to find out what caused that event to trigger.

We are highly impacted this as we are not receiving mail alerts for various IPS and Content awareness incidents.

0 Kudos
8 Replies
Danny
Champion Champion
Champion

Several IPS protections were removed in R80.x. Did you upgrade SmartEvent R80.10 as well or just the gateway and management? Did you install the event policy after the upgrade? Did you install the latest R80.10 Jumbo Hotfix Take? Please detail what is working and what doesn't, preferably with accompanying screen shots.

0 Kudos
Tomer_Sole
Mentor
Mentor

I Agree, Narsimha please send us specific examples of IPS content that you find missing or having false positives. We'd like to see whether this is a software problem or an intended change of behavior (which you may found unintuitive).

0 Kudos
Narsimha_Rao_Ko
Participant

Thanks Tomer for the update.

Sorry for replying late. I have been working with Support. R&D has given new Lib file which has not solved the issue.

-> All IPS signatures except ports scan/Host scan, not generating the events

->Contenet Awareness events not listing the Data type filed

All these issues are started after upgrading to R80. All the Mgmt Server/Smart Event Server/Gateway running R80.10 and installed the latest hostfixes.

I am attaching thte screen shot for the same. In that screen shot, only host scan/port scan generated the events and no events for other signatures. Entries with blank fileds in Protection type, Protection name etc.. are events.

0 Kudos
Evgenia_Kritsky
Employee
Employee

In R80.x  policies of IPS,DLP, Appi,Threat Prevention...  blades you will see under 'Legacy' 

and these events are not relevant anymore, because the data of these blades will be displayed as  log / session on "Logs&Monitor".

So all policies that under "Legacy" section have to be unchecked, except to policies for which automatic reactions configured. 

When configuring automatic reactions for legacy policies check "Send automatic reactions but don't generate an event".

If you don't receive mail after checking this option, please open task to install HF that fixes the issue. 

0 Kudos
Vladimir
Champion
Champion

I am curious to know if the automatic reactions that were previously configured are still defined post-R80.X upgrade, but simply are disabled.

Otherwise, how should we determine which events had those enabled and what were those actions settings.

0 Kudos
Narsimha_Rao_Ko
Participant

Thanks Evgenia for looking into this.

log / session on "Logs&Monitor" fetches the logs from the Log server. I think, events are generated when multiple logs matches certain criterial which we define in Event policy and these events are stored in the Smart Event Server.

 

We need to configure Automatic reactions to be configured to send the mail alerts when a particular event got generated. I have tried above option of checking "Send automatic reactions but don't generate an event", but still I got only mail alert for Host port scan.

0 Kudos
pengfei_miao
Explorer

Hi,Narsimha Rao Konjeti

I met the same issue today just like what you described above.So,have you solved this issue? Looking forward to your reply.

0 Kudos
pengfei_miao
Explorer

ok, i have solved this issue by checking the option:  "Send automatic reactions but don't generate an event"!: )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events