cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

http threat emulation between security gateway and on premise sand blast appliance is not working

Hi Checkmates,

we have checkpoint firewall in cluster and on permise sandblast device and we were trying to do HTTP emulation .

it seems the firewall is not sending the file to sandblast , the port 18194 is opened between the FW and sandblast .

the internal interface of the IP has reachability to the sandblast object IP but still the files are not getting emulated .

Attached the TED logs for your refernce . please have a look and advise if we can do any further debug to find the issue.

Tags (1)
0 Kudos
5 Replies
Admin
Admin

Re: http threat emulation between security gateway and on premise sand blast appliance is not working

The logs don't show anything that stands out to me.

Have you engaged with the TAC on this issue?

0 Kudos

Re: http threat emulation between security gateway and on premise sand blast appliance is not working

Yes i created a support case for the same . but i found some log in TED debug showing remote emulation is failed.

please have a look on below 

 

referance_uid" : "{63B2CC21-D861-9A46-BE7B-F33BE0B12E90}"

}

 

[ 31421 4085815040][11 Jul  9:22:22] [TE_TRACE]: Setting Java path to: /var/log/files_repository/Java/515bfdd7-1d15-4d41-878f-8dee7c23008b/171/jre/bin/java

[ 31421 4085815040][11 Jul  9:22:22]  [TE (TD::Surprise)] te::InvestigationPath::Reconf: reconf of: remote emulation failed! (Path: PATH_TE) [ 31421 4085815040][11 Jul  9:22:22]  [TE_IS_TRACE (TD::All)] te_is::SocketApiClient::SendObject: sending data:

{

   "api_name" : "KavReconfData",

   "proxy" : "",

   "referance_uid" : "{E1263DF9-47D9-F244-A1AA-8633B5E3CC7D}"

0 Kudos
Admin
Admin

Re: http threat emulation between security gateway and on premise sand blast appliance is not working

Does the TE appliance have access to the Internet, or at the very least the various Check Point services listed in sk83520?

0 Kudos
Employee++
Employee++

Re: http threat emulation between security gateway and on premise sand blast appliance is not working

Hi,

so had a quick look into the logs. At least within the logs provided I did not even find a file that was picked up by DLPU so you is also no file in TED.ELG being handled.

Within the TED.ELG (if this is TED.ELG from the gateway) I can see a successfull TE engine update which is a goog start 🙂

The failing remote emulation does not look like a "normal" file being handled. Cannot explain that but I assume your problem is that DLPU does not pickup files from HTTP stream.

Cause is most of the time a Threat Prevention Policy not being configured correctly. Can you share your TP policy settings, ruleset(s) and profile settings ?

Also the gatway object setting will help.

Regards Thomas

0 Kudos
Employee++
Employee++

Re: http threat emulation between security gateway and on premise sand blast appliance is not working

Hi Thomas,

copied your response from the other thread to this one:

MTA is configured on TE appliance , SMTP emulation is working fine . we are facing issue on HTTP emulation from firewall side the file is not sending to TE devices.

 

Just have query , which interface firewall will send the packet to TE . I have 2 interface in firewall which has reachability to TE so if user is trying to download a file from internal interface does it take the internal interface or the other one which is management subnet ,the sandblast object IP is from the management subnet .

So a gateway is trying to reach a SandBlast appliance by checking the SandBlast appliance gateway object IP and looking for a way to get to this IP. So in most cases this is the Mgmt IP of the SandBlast appliance. If the SB appliance Mgmt IP is not reachable from the GW it will try to connect to the other configured interfaces on the SB appliance via its own routing table.


Regards Thomas