This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
Wednesday
Jump to solution

Inspection Settings Behavior

Hello Team.

Is traffic blocked by the “Inspection Settings” feature in Check Point ‘mandatorily’ labeled as “Inspection Settings” within a LOG?

I'm providing relevant information from the log to explain my question.


Id: 0a7b5e81-5105-ba02-691d-e64d5dd70000
Marker: @A@@B@1763566642@C@1516930
Domain: CMA_MIR
Time: 2025-11-19T15:46:21Z
Interface Direction: inbound
Interface Name: bond2.794
Id Generated By Indexer: false
First: true
Sequencenum: 249
Policy Rule UID: 837284bb-df97-41cd-a8e6-8a8d314623e2
Sub Policy Name: PQ_MIRNET Network
Sub Policy Uid: c4bdc336-5d7e-43e4-8bb3-9a07cfb6f724
Service ID: sip
Source: 10.11.51.14
Source Port: 31857
Destination: 147.219.18.19
Destination Port: 5060
IP Protocol: 17
Request: 180
Source IP-phone: 983667441
Destination Phone Number:51995109913
VoIP Call ID: 1f63acc7-d1b3-4b91-a7a6-23f8b0579819
VoIP Log Type: Security
Content Type: VoIP Session
Inspection Item: Number of retransmissions exceeded the maximum allowed
Inspection Information: Message exceeded the retransmissions limit
Severity: Medium
Performance Impact: Very Low
Inspection Category: protection
Inspection Profile: Default Inspection
Action: Drop
Type: Log
Policy Name: PQ_MIR
Db Tag: {D25FE155-9792-614A-A674-0FDAD2EE6F55}
Policy Date: 2025-11-10T18:48:03Z
Service: UDP/5060
Product Family: Access
Logid: 65536
Access Rule Name: VPN_AWS
Access Rule Number: 90
Interface: bond2.794
Description: sip Traffic Dropped from 10.11.51.14 to 147.219.18.19
Blade: IPS, Firewall

So, my question arises when reviewing the LOG, as I was sure that within the log there should be a section called “INSPECTION SETTINGS DETAILS” so that I could “understand” that this traffic block is due to this Check Point feature. but in my case, there is nothing in the log that indicates this section, and the most relevant thing I see is what is highlighted in bold above.

Does the INSPECTION SETTINGS functionality focus on all protocols or just some?

I have searched the IPS Protections for any signature related to this block, but nothing appears. The only thing I found is a “signature” in the INSPECTION SETTINGS section, but since nothing appears in the LOG that mentions “INSPECTION SETTINGS” I have not given it any importance, but apparently I should 😑

Thank you for your comments.

0 Kudos
3 Solutions

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to Matlu
Jump to solution

Hey bro,

Its not related to IPS. Inspection settings are more related to protocol compliance and deep packet inspection, while IPS is more related to blocking malicious threaths and exploits.

Best,
Andy

View solution in original post

0 Kudos
Gennady
Participant
Wednesday
Jump to solution

Good day!

The inspection settings can be found in the following way:

  1. Click on the Manage tab in SmartConsole.
  2. Click on Blades tab from there
  3. Then click on General -> Inspection Settings.
  4. Then you can use Search to find an inspection "Maximum Allowed Retransmissions"
  5. Select "SIP Maximum Allowed Retransmissions"
  6. Edit the Inspection
  7. Click on Advanced
  8. Set a desired number of retransmissions

You can also make the inspection Inactive in "General Properties" instead tuning the value in "Advanced"

As an option you can also add an Exception these types of Inspections if you go to "Exceptions" at step 4 instead of going to "Search".

Please, find the screenshot below:

Inspection Settings_edit.png

 

View solution in original post

emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Thursday
In response to Matlu
Jump to solution

Inspection Settings are enforced by the IPS blade part of the software, even though it's not configured in there (anymore...) and you don't need IPS enabled or licensed to enforce them. 

View solution in original post

0 Kudos
9 Replies
Lesley
MVP Gold
MVP Gold
Wednesday
Jump to solution

This is the trigger for me: Inspection Profile: Default Inspection

This tells me to check the inspection settings. The default inspection is the name how it is default. You can customize this name to make it more noticeable for you. 

When you configure a Security Gateway, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Matlu
MVP Silver
MVP Silver
Wednesday
In response to Lesley
Jump to solution

Is “Inspection Settings” related to IPS?
Because in the LOG, as you will notice, it details that this traffic MATCHES the Firewall and IPS blades, but it is easy to get “confused” at this point, since no known “signature” appears here to indicate that the blocking problem is due to an IPS engine signature.
Is my question clear?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to Matlu
Jump to solution

Hey bro,

Its not related to IPS. Inspection settings are more related to protocol compliance and deep packet inspection, while IPS is more related to blocking malicious threaths and exploits.

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Thursday
In response to Matlu
Jump to solution

Inspection Settings are enforced by the IPS blade part of the software, even though it's not configured in there (anymore...) and you don't need IPS enabled or licensed to enforce them. 

0 Kudos
Matlu
MVP Silver
MVP Silver
Thursday
In response to emmap
Jump to solution

Hello,
So, if I don't have IPS enabled and the INSPECTION SETTINGS function blocks traffic, can it still be “marked” in the LOG as if it were the IPS BLADE that is blocking the traffic?
Based on your comment, I understand that this functionality is closely linked to the IPS blade, correct?
Cheers 🙂

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Thursday
In response to Matlu
Jump to solution

Just put the exception then from the log, bro. There is usually an option there.

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Thursday
In response to Matlu
Jump to solution

Yes it will still say IPS on the log card.

the_rock
MVP Platinum
MVP Platinum
Thursday
In response to emmap
Jump to solution

I suppose that would make sense Emma, since IPS is blade and inspection settings are slightly unrelated.

Best,
Andy
0 Kudos
Gennady
Participant
Wednesday
Jump to solution

Good day!

The inspection settings can be found in the following way:

  1. Click on the Manage tab in SmartConsole.
  2. Click on Blades tab from there
  3. Then click on General -> Inspection Settings.
  4. Then you can use Search to find an inspection "Maximum Allowed Retransmissions"
  5. Select "SIP Maximum Allowed Retransmissions"
  6. Edit the Inspection
  7. Click on Advanced
  8. Set a desired number of retransmissions

You can also make the inspection Inactive in "General Properties" instead tuning the value in "Advanced"

As an option you can also add an Exception these types of Inspections if you go to "Exceptions" at step 4 instead of going to "Search".

Please, find the screenshot below:

Inspection Settings_edit.png

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events