This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arthur_DENIS1
Advisor
Advisor
‎2020-01-14 05:14 AM
Jump to solution

Strange log - Originating from against

Hi,

I found a strange and recurring log "originating from against" for the blade IPS - see screenshot

originating-from-against - anonymous.jpg

No behavior, but a lot of this for all our firewall.

Firewall and MGMT are running version R80.20

 

Any idea for that point ?

Thanks,
Arthur

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2024-09-09 05:24 AM
In response to FireMage
Jump to solution

This is related to the Log Suppression feature of Threat Prevention, which was covered by my 2022 CPX speech Max Gander: The Hidden World of Log Generation and Log Suppression at Check Point

Bottom line is that this is expected behavior, please see sk115876: Some fields are missing from IPS or Threat Prevention logs

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-01-14 05:23 AM
Jump to solution

There is not much that can be said when the only detail we know here is the version 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Arthur_DENIS1
Advisor
Advisor
‎2020-01-14 05:34 AM
In response to G_W_Albrecht
Jump to solution

Indeed, but what I can says... 

We get this message from all firewall without an apparent reason.

 

Do you have already see this message ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-01-14 05:37 AM
In response to Arthur_DENIS1
Jump to solution

Look into the logs in SVTracker - look for logs from the same source at the same time...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Arthur_DENIS1
Advisor
Advisor
‎2020-01-14 05:59 AM
In response to G_W_Albrecht
Jump to solution

OK so I try to find the same log with SVTracker, but no way to find it.

Regarding the othe logs from the same origin, we have a lot of accept and Drop (about 1600 entry for the same second) - icmp/tcp/udp - but only from the firewall blade.

 

This is the only log from IPS blade at this exact time from this specific origin.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-16 05:45 PM
Jump to solution

Might be worth a TAC case.
0 Kudos
FireMage
Contributor
‎2024-09-08 10:03 AM
Jump to solution

hello,

was there a solution for this? i currently have the same behaviour with our r81.20.

thanks
jeff

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-09-09 05:24 AM
In response to FireMage
Jump to solution

This is related to the Log Suppression feature of Threat Prevention, which was covered by my 2022 CPX speech Max Gander: The Hidden World of Log Generation and Log Suppression at Check Point

Bottom line is that this is expected behavior, please see sk115876: Some fields are missing from IPS or Threat Prevention logs

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top