Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Parry
Participant

IPS Exceptions not being applied over VPN

Hello, I've had a dig around and looked at a few post about this and none have resolved my issue.

We have a Locally Managed Check Point 1550 Appliance running firmware version is R80.20.05 (992001208).

Threat protection blades are enabled an up to date. When I VPN into our office and access our Twiki site from my PC over RDP we get no issues navigating around, however, if we attempt to edit any content we get an access denial, which we dont see when in the office or if I access directly from a laptop connected to the gateway over VPN .

--------------------------------

Your access is denied

Your access is

denied


Access denied due to firewall policy violation

Your issue ID for support is: 5f254cd8-2-823b977f-c0000002

--------------------------

 

I have added an exception (see attached file) which has the source as our /24 subnet and have tried with destination being the single IP, the Subnet the twiki is on (Twiki is on EC2 in AWS) and to Any.

 

I have even tried disabling the IPS and overridding the Command Injection IPS to be Detect vs Prevent.  Nothing changes.

 

Hopefully the Guru's here can help.

Regard

Steve

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

When you say “our /24 subnet” what precisely does that refer to?
Can you also post the precise log card shown for the drop (redacting sensitive data)?

0 Kudos
Steve_Parry
Participant

Thanks for the prompt reply.

By “our /24 subnet”  I meant the source in the rule is a Network Object that is our office subnet xxx.xxx.21.0/255.255.255.0.

I had thought I had attached the error.  But I have now see attached file p3.png.

 

0 Kudos
Tom_Hinoue
Advisor

I think there is an known issue that IPS exception rules doesn't work properly for specific pre-installed IPS protections (Command Injection/Max Ping Size etc.) until R80.20.05.
(For downloaded IPS signatures, exceptions rules should work)

Can you see if the issue resolves with the latest GA firmware R80.20.10 Build 992001433? I believe the issue is fixed here.

0 Kudos
Steve_Parry
Participant

Thanks Tom, may be a silly question but where do I find that version?  When I check for updates on the appliance it says I am up to date.  If I click the update manually button, I am directed to a page where I can download R75 and R77 versions but no R80 ones.

 

Steve

0 Kudos
Tom_Hinoue
Advisor

Hi Steve,

You can find the firmware download link from below.

R80.20.10 for Small and Medium Business Appliances
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The reason why the firmware is not downloadable from the appliance WEB UI, is because the firmware is not yet available in the upgrade servers.
Usually new firmware is gradually deployed to the upgrade servers, after the version is widely adopted.
So for now, you will have to manually upgrade it with the image file available in the SK.

Hope it helps.

Steve_Parry
Participant

Thanks Tom, that makes sense.  I've downloaded that and will arrange an out of hours upgrade.

Thanks for all your help.

Steve

Steve_Parry
Participant

Apologies for the delay, but I've not been able to get into the office until today to apply the firmware updated ( now at R80.20.10 (992001433)

Obviously I have missed something in the Exception setup.  From the Treat Prevention section I have added exceptions for our two subnets 192.168.21.0/24 and 192.168.25.0/24 (192.168.25.0 is our VPN/Branch subnet and 192.168.21.0/24 is the office subnet) however when I attempt to edit our Twiki page, either while on the VPN from my laptop or from an RDP session I get the error and can see the action is prevented in the log (Screenshot 2020-08-20 at 07.31.20).  

Screenshot 2020-08-20 at 07.44.47.png

 Any help on this would be much appreciated.

 

Tried to send this earlier but it didnt save. 

Steve

0 Kudos