Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcyn
Participant

Autonomous Threat Prevention service is down

Hi team,

I'm playing with CheckPoint to know it better (again).
I was using CheckPoint in version something like R75 and before... many years ago... and now (like Scharzenegger in Terminator) I'm back with R81.10.
I'm really surprised how many changes and new features there are in CheckPoint nowadays.
And it looks really easier then before. SmartConsole is great !

I decided to play with this new Autonomous Policy in Threat Prevention.
It was working fine, but now it gives me this message that you can see in the picture (probably I messed up with something ... because I was enabling this feature, disabling, changing something, etc.).
I was searching for such issue here (CheckMates and generally on Internet) but didn't find even single post about it.... so probably I'm the first one - it's probably because everybody use Custom Policy - which I have no problem at all (everything works as supposed to) ... but again I want to know as much new features as possible and how to mess them up and then solve issue 🙂

 

Does anyone know which service is responsible for Autonomous Policy in Threat Prevention ?
Disabling this blade, removing Threat Prevention from Policy, etc. of course doesn't help.
Where should I look for ?

--
Best
m.

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

A tool called itp (abbreviation for the original Infinity Threat Prevention feature name) can be used to query, enable, and disable Autonomous TP “on the fly” which can be very helpful when troubleshooting from the CLI of the gateway. Daemon programs called tp_conf_service and TPD on the gateway are responsible for keeping Autonomous TP up to date with the latest best practices. Use cpwd_admin list to check on the status of these processes, if they don't show up there at all they may be child processes of something like fwd.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
marcyn
Participant

Hi Timothy,

Thank you for your post.
I've checked this cpwd_admin list and I see tp_conf_service:

# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
(...)
TP_CONF_SERVICE 7433 E 1 [15:43:03] 17/6/2022 N tp_conf_service --conf=tp_conf.json --log=error
FWD 7591 E 1 [15:43:05] 17/6/2022 N fwd
(...)

No TPD here, and as you can see FWD also exists here.

Regarding this tool itp it gives in itp status:

(...)
CPM Status: None PID: None
----------------------------------------------------------------
API Status: Unknown PID: None Port: 443
----------------------------------------------------------------
ITP SERVER Status: Not running PID: None Port: 443
----------------------------------------------------------------

If I try to execute itp start it ends up with no error.
There is only information regarding starting dockerd service, and after minute or maybe little more it finishes:

# itp start
Trying to enable simplified_threat_prevention Auto Update service
Updates state changed to on for component simplified_threat_prevention
Docker daemon is currently stopped.
starting dockerd service
Dockers is supported only on Mgmt installations.

However itp status gives the same result as before.

Do you know location of logs from Autonomous TP that maybe will put some light on this issue ?
Something like flow files from $FWDIR/log/rad_events/Errors/ for HTTPS Inspection ?

--
Best
m.

0 Kudos
marcyn
Participant

Problem was solved after installing Jumbo HF (Take 55) on mgmt server.

Now I have:
# itp status
(...)
CPM Status: Started PID: 6223 Port: -
----------------------------------------------------------------
ATP SERVER Status: Started PID: 5424 Port: 443
----------------------------------------------------------------
API Status: Started PID: 6223 Port: 443
----------------------------------------------------------------
Processes Test Results:
Name Test Result More Information
------------------------------------------------
ATP SERVER Positive
API Positive

Still I would like to know what was the reason for this issue ... but problem is solved.

--
Best
m.