Thanks for the prompt reply.

By “our /24 subnet”  I meant the source in the rule is a Network Object that is our office subnet xxx.xxx.21.0/255.255.255.0.

I had thought I had attached the error.  But I have now see attached file p3.png.

I think there is an known issue that IPS exception rules doesn't work properly for specific pre-installed IPS protections (Command Injection/Max Ping Size etc.) until R80.20.05.
(For downloaded IPS signatures, exceptions rules should work)

Can you see if the issue resolves with the latest GA firmware R80.20.10 Build 992001433? I believe the issue is fixed here.

Thanks Tom, may be a silly question but where do I find that version?  When I check for updates on the appliance it says I am up to date.  If I click the update manually button, I am directed to a page where I can download R75 and R77 versions but no R80 ones.

Steve

Hi Steve,

You can find the firmware download link from below.

R80.20.10 for Small and Medium Business Appliances
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The reason why the firmware is not downloadable from the appliance WEB UI, is because the firmware is not yet available in the upgrade servers.
Usually new firmware is gradually deployed to the upgrade servers, after the version is widely adopted.
So for now, you will have to manually upgrade it with the image file available in the SK.

Hope it helps.

Thanks Tom, that makes sense.  I've downloaded that and will arrange an out of hours upgrade.

Thanks for all your help.

Steve

Apologies for the delay, but I've not been able to get into the office until today to apply the firmware updated ( now at R80.20.10 (992001433)

Obviously I have missed something in the Exception setup.  From the Treat Prevention section I have added exceptions for our two subnets 192.168.21.0/24 and 192.168.25.0/24 (192.168.25.0 is our VPN/Branch subnet and 192.168.21.0/24 is the office subnet) however when I attempt to edit our Twiki page, either while on the VPN from my laptop or from an RDP session I get the error and can see the action is prevented in the log (Screenshot 2020-08-20 at 07.31.20).  

 Any help on this would be much appreciated.

Tried to send this earlier but it didnt save. 

Steve

Hey,

Did you find a way to bypass this problem? I have the same problem in a much recent version R81.10.05

Regards

That was posted more than 3 years ago...

I will surprise you but I also have problems with CP1550 and Microsoft RDP.

I have people in my office who work remotely on a local Windows Server.

The client computers and the server are on the same subnet 192.168.1.0/24

When establishing an RDP connection it takes significantly longer than usual.

Once logged in, the session is very slow. It looks as if the server is loaded at 100%. but this is not the case. Programs do not start or start after a few minutes. Check Point CPU load at about 35-50% (ripples) RAM about 1.3 to 1.5GB (ripples).

Only disabling IPS, AV, SPAM module set helps. Looks like a problem with the IPS.

The problem occurs inside the local network + remotely via VPN.

Sof version: R81.10.08 (996001608)

The problem has been occurring for several days. Previously, everything was working. Adding servers ora computers to exceptions doesn't do anything as if it doesn't apply them.

I'm wondering whether to restore factory settings and configure everything from the beginning.

Hey Lu89as,

Just found out this is a limitation on Locally managed SMB and the VPN traffic is treated as Internal traffic... SK177063
If you want o create an exception you should create one Global exception, for example in my case:

Source: Any

Destination: Site IP

Protection: Command Injection

Service: ANY

Action: Inactive

Hope this helps...
Regards,

PF

HeyG_W_Albrecht, 

I know this post have more than 3 years, but funny enough it seems that the problem is still present in recent versions.
Trying to understand what can i do to bypass this problem.

Regards,

Hi Mates,

We are facing same issue with R81.10.10. Configured global exception but no luck.

Any solution?

On regular (non SMB/Spark) gateways, the protection Command Injection is a Core Protection.  To create an exception for these you don't create it on the Threat Prevention exceptions screen (those are only for IPS ThreatCloud Proections and the other 5 TP blades), you need to go to the Command Injection protection itself (or any other Core Protection) and add the exception there.  Core Protections have their own separate profile and exception mechanism, but this may be different on SMB/Spark embedded Gaia appliances.

Thanks Tim for the response.

There is no option to create exception in protection.