Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nadezhda
Contributor

"Last update" in protection

Hello Team!

The “Last update” column in protection in SmartConsole has incorrect last update dates. All protections have been successfully updated, and we have recently seen fresh dates there.

This occurs on ALL of our management servers, so it seems to be a massive problem.
Do you have the same problem ?
Have you received any comments from TAC ?
Our management servers are versions 81.10 and 81.20
Also, the actions from sk171644 do not help.

 
 
 

protections.png

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

"Massive" problem might be exaggerating a touch for something that sounds cosmetic.

What is the uptime of both machines, how do they reach the internet and which Jumbo take is applied?

CCSM R77/R80/ELITE
0 Kudos
Nadezhda
Contributor

After rebooting, the problem persists.
Problem on R81.10 with JH 139 and R 81.20 with JH 24
Internet access without proxy server.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Do you refer to this column (see image)? If so the value refers to an update in an existing protection and not to the overall IPS version update.

This allows you to know which older protections were updated recently with new signatures or definitions etc.

Details on the IPS Package version is available in several locations in SmartConsole and directly on the machines (see second image)

 

IPS Protections.png

 

 

 

IPS Version.png

0 Kudos
Nadezhda
Contributor

Hello!

Thanks for your explanation, but no I mean this: protections.png

0 Kudos
Timothy_Hall
Legend Legend
Legend

For the AV/ABOT blades, the "Last Update" does not mean what you think it means when compared to something like the IPS blade.  Check Point seems to be a bit cagey about what is going on with AV/ABOT updates and there is little documentation, but allow me to explain my understanding of this which granted may not be 100%:

The IPS feature exclusively uses a traditional set of patterns/signatures that are downloaded in their entirety as one big database file, and once the database is downloaded and slipstreamed into the existing Threat Prevention policy on the gateway, the IPS blade operates 100% autonomously with no live interaction with the ThreatCloud needed for enforcement.  However Anti-Virus and Anti-Bot use a combination of memory-based caches and constant interactions with the Check Point ThreatCloud via the rad process to help keep the caches populated.

Normally Check Point gateways will interact with the Check Point ThreatCloud servers with no consideration given to which countries those servers are actually located in. But interestingly it is possible to configure the gateway to only obtain ThreatCloud updates from Check Point servers located in certain countries and avoid undesirable countries; here are some interesting examples: sk168057: Restricting Threat Prevention Gateways to China (Geo-Restriction) & sk97877: Restricting Gateways to Send Files for Emulation only in a Specific Country (Threat Emulati...

There really isn’t a big "database download" for all AV/ABOT-based protections like there is for IPS, but AV/ABOT do have a big signature database they download for a portion of their inspection duties,  I believe this is the "Update Number" shown in cpview on the Software-blades...Overview screen and the Gateways & Servers tab of SmartConsole, but NOT on the "Protections" screen shown in your last post.  While not clearly documented, the actual scanning engines employed by AV/ABOT can also be modified or enhanced by Check Point via these updates "on the fly" in response to new threats.

All of this will be covered in the upcoming Check Point Threat Prevention Specialist (CTPS) course that should be available worldwide from ATCs in Q3 2024.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events