This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
eduardo21
Explorer
‎2023-03-17 08:49 AM

IPS log displaying "No_protection_5c852822be90f306" in the Threat Profile field

We are seeing some IPS logs that display "No_protection_5c852822be90f306" in the Threat Profile field (image "No_protection" attached).

The IPS blade is enabled on the gateway, and when we check the protection that was identified in this log the action fields say "more details", instead of letting us change the default action for a specific profile, which means we're talking about a core protection. We then have to access the protection page and change the action from within it.

Does anyone know why this might be happening?

 

0 Kudos
7 Replies
Timothy_Hall
Legend Legend
Legend
‎2023-03-17 04:32 PM

Normally I'd guess that for an IPS ThreatCloud protection this would occur when IPS database versions on the SMS and gateways do not match or are out of sync.  However the 39 Core Activations are static and never updated by the ThreatCloud.  Any chance your SMS and gateways are running different code versions from each other, or they are the same but their Jumbo HFAs do not match?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-17 04:50 PM

I would open a TAC case on this.

0 Kudos
the_rock
Legend
Legend
‎2023-03-17 05:18 PM

You said image was attached, but I dont see any screenshots/files in your post. Can you please send us the output? Just blour out any sensitive data. I would ensure that IPS is updated, maybe also send us output of ips stat command from the gw expert mode.

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-03-18 07:22 AM

Did you happen to receive it from a SYN Defender / SYN Attack protection?

 

0 Kudos
the_rock
Legend
Legend
‎2023-03-18 09:34 AM

@eduardo21 Hard to say what this could be, but as @Tal_Paz-Fridman advised, those are some things to try. I even searched the combination of those characters in ssh to see if anything comes up, but nothing so far, but will keep "digging"

Andy

[Expert@quantum-firewall:0]# ips protection 5c852822be90f306
[Expert@quantum-firewall:0]# ips protection be90f306
[Expert@quantum-firewall:0]# ips protection 5c852822
[Expert@quantum-firewall:0]# ips protection 90f306
[Expert@quantum-firewall:0]#

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-20 06:59 PM
In response to the_rock

I saw this exact hex in a handful of TAC cases.
Really do think a TAC case is best here.

0 Kudos
the_rock
Legend
Legend
‎2023-03-20 07:00 PM
In response to PhoneBoy

Then I guess values I was trying were wrong...well, no need to guess, they were WRONG 🤣

Otherwise, ips protection command would have returned correct IPS protection, if hex value was correct.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events