Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
eduardo21
Explorer

IPS log displaying "No_protection_5c852822be90f306" in the Threat Profile field

We are seeing some IPS logs that display "No_protection_5c852822be90f306" in the Threat Profile field (image "No_protection" attached).

The IPS blade is enabled on the gateway, and when we check the protection that was identified in this log the action fields say "more details", instead of letting us change the default action for a specific profile, which means we're talking about a core protection. We then have to access the protection page and change the action from within it.

Does anyone know why this might be happening?

 

0 Kudos
7 Replies
Timothy_Hall
Legend Legend
Legend

Normally I'd guess that for an IPS ThreatCloud protection this would occur when IPS database versions on the SMS and gateways do not match or are out of sync.  However the 39 Core Activations are static and never updated by the ThreatCloud.  Any chance your SMS and gateways are running different code versions from each other, or they are the same but their Jumbo HFAs do not match?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

I would open a TAC case on this.

0 Kudos
the_rock
Legend
Legend

You said image was attached, but I dont see any screenshots/files in your post. Can you please send us the output? Just blour out any sensitive data. I would ensure that IPS is updated, maybe also send us output of ips stat command from the gw expert mode.

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Did you happen to receive it from a SYN Defender / SYN Attack protection?

 

0 Kudos
the_rock
Legend
Legend

@eduardo21 Hard to say what this could be, but as @Tal_Paz-Fridman advised, those are some things to try. I even searched the combination of those characters in ssh to see if anything comes up, but nothing so far, but will keep "digging"

Andy

[Expert@quantum-firewall:0]# ips protection 5c852822be90f306
[Expert@quantum-firewall:0]# ips protection be90f306
[Expert@quantum-firewall:0]# ips protection 5c852822
[Expert@quantum-firewall:0]# ips protection 90f306
[Expert@quantum-firewall:0]#

0 Kudos
PhoneBoy
Admin
Admin

I saw this exact hex in a handful of TAC cases.
Really do think a TAC case is best here.

0 Kudos
the_rock
Legend
Legend

Then I guess values I was trying were wrong...well, no need to guess, they were WRONG 🤣

Otherwise, ips protection command would have returned correct IPS protection, if hex value was correct.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events