This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2023-02-13 08:36 AM

Searching for IPS protections via ssh

Hey guys,

Figured would share this in case anyone encounters the same problem. So had issue with customer where certain parts of sites on Azure were not coming up when testing from on prem and we ran debug and discovered it was related to IPS, but had hard time finding out the protection in question. So I saw there is a command you can runvia expert mode if you have xeha-decimal value for protection (which we did from the drops) and once we got the protection name, was easy to fix the problem.

[Expert@quantum-firewall:0]# ips

Usage:
ips stat # Display IPS status
ips on|off # Enable\Disable IPS
ips bypass stat # Display Bypass Under Load status
ips bypass on|off # Enable\Disable bypass mode
ips bypass set cpu|mem low|high <th> # Set bypass thresholds
ips debug [-e filter] -o <outfile> # Get IPS debugs
ips refreshcap # Refresh the sample capture repository
ips stats [<ip_address> -m] [-g <seconds>] [<ip_address> <seconds>] [-h]
# Print IPS performance and PM statistics
ips protection <protection_id (hex)> # Display protection name

Note: IPS CLI configuration is temporary - it will be overridden by the next
policy installation or boot
[Expert@quantum-firewall:0]# ips protection 0x82e5656a
Web Servers Malicious URL Directory Traversal
[Expert@quantum-firewall:0]#

I would say since we saw lots of errors first packet isnt SYN and customer proved this worked fine when NOT traversing the CP cluster, I would say, if you ever see that message, always check threat prevention blades, specially IPS, apart from obvious "culprits"...routing, NAT, sxl : - )

Cheers,

Andy

13 Replies
the_rock
Legend
Legend
‎2023-02-13 08:53 AM

Btw, these are drops from zdebug.

To add this as a side note, no matter what words we used to search for IPS protection in smart console, absolutely nothing worked and we were unable to find the actual protection.

 

@;436822375;[vs_0];[tid_1];[fw4_1];ips_cmi_handler_match_cb_ex: Packet dir 0, 19 2.168.37.190:63474 -> 10.30.11.17:80 IPP 6 dropped by IPS [reject] , protection_ id=0x82e5656a, protection_name=<GW CLI: ips protection 0x82e5656a>;
@;436822377;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=6 192.168.37.190 :63474 -> 10.30.11.17:80 dropped by fwmultik_process_f2p_cookie_inner Reason: PS L Drop: WS
@;436822379;[vs_0];[tid_1];[fw4_1];fw_log_drop_ex: Packet proto=6 192.168.37.190 :63474 -> 10.30.11.17:80 dropped by fwmultik_process_f2p_cookie_inner Reason: PS L Drop: WS
@;436822442;[vs_0];[tid_1];[fw4_1];ips_cmi_handler_match_cb_ex: Packet dir 0, 19 2.168.37.190:63424 -> 10.30.11.17:80 IPP 6 dropped by IPS [reject] , protection_ id=0x82e5656a, protection_name=<GW CLI: ips protection 0x82e5656a>;

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-02-13 09:23 AM
In response to the_rock

I can find it:

malic.jpg

Has even been updated recently...

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-02-13 09:24 AM
In response to G_W_Albrecht

Well, you can find it when I gave full name lol. If you search by the actual words from the debug I attached, you will NOT find it : - )

Andy

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-02-13 10:09 AM
In response to the_rock

Yes, therefore i use the most important part only...

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-02-13 10:15 AM
In response to G_W_Albrecht

Right and to GET to most important part you need the command : - )

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-02-13 11:47 PM
In response to the_rock

But the command will not be helpfull if you cannot find the protection 😎

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-02-14 03:28 AM
In response to G_W_Albrecht

So answer this then...based on debug I posted, and ONLY debug, how would you ever figure out what is the IPS protection if you dont run command I gave? 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-13 10:12 AM

Great tip!

the_rock
Legend
Legend
‎2023-02-13 10:18 AM
In response to PhoneBoy

Figured would share since I learned this myself today as well : - )

0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2023-02-13 11:36 AM

Very nice, thanks for sharing.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend
‎2023-02-13 11:38 AM
In response to Timothy_Hall

No worries, any time. I asked my colleague to share this link with TAC engineer, hopefully it saves them some time if they ever encounter this with another customer.

Cheers.

0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2023-02-13 11:47 AM

Forgot to mention that it is possible to make the offending IPS signature name show up directly in the fw ctl zdebug drop output by changing variable enable_inspect_debug_compilation from false to true in GUIdbedit, although doing so will substantially increase the size of the compiled policy sent to the gateway: sk60395: How to debug IPS during issues with DCE-RPC traffic

I haven't done this in quite some time and it may no longer be supported.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend
‎2023-02-13 11:49 AM
In response to Timothy_Hall

Ah, good to know.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events