- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
zdebug drop shows errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER and https sites were not working on several environments due to IPS protection "openssl padding oracle information disclosure" that was updated on 7/8/2020.
Disabling this protection resolves the issue.
IPS update has been replaced. It is now safe to update.
"zdebug" is a macros that only sends debug flags to fw module, if used without additional efforts, as "fw ctl zdebug drop". In R80.x fw module does not do much. You need to debug KISS and UP.
It is better to involve TAC in your case.
Thanks for this - got several customers affected by this. Can confirm that disabling the protection restores internet access.
Please raise TAC case for this, thanks
Hi All,
Have engaged TAC - but also received the following update from my CP SE:
The problematic updates are:
634204548 or 635204548
The impact:
- After IPS update, many drops observed (via fw ctl zdebug + drop on CLI)
dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
- The following may be seen in /var/log/messages:
kernel: [fw4_4];ips_gen_dyn_log: malware_policy_global_send_log() failed
- High CPU utilization and traffic impact
Short term remediation:
1. Re-enable IPS on the gateway object if it was disabled as a workaround.
2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)
a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"
3. Revert to previous good IPS database update
a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option
4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.
Best practices for updates and IPS implementation:
This document (while it is specified for R80.10, it is still relevant for newer versions) contains our best practices recommendations about IPS profile implementation, and update best practices. https://sc1.checkpoint.com/documents/Best_Practices/IPS_Best_Practices/CP_R80.10_IPS_Best_Practices/...
Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway:
fw ctl set int tls_parser_enable 0
We were facing this issue at a customers installation today as well.
After opening sr we got update, that IPS versions 634204548 or 635204548 are affected. We reverted to 635204525 and the issue persisted.
As we did not want to try and error we now have disabled this protection and now the issue is gone for now.
Now we're waiting for the next update (and reply from sr owner)
Hello, we are aware of the issue and are working to provide a fix for it.
Meanwhile, if you are affected, please use the following steps for short term remediation:
1. Re-enable IPS on the gateway object if it was disabled as a workaround.
2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)
a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"
3. Revert to previous good IPS database update
a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option
4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.
Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway:
fw ctl set int tls_parser_enable 0
🤐
I am also facing the same issue after active the OpenSSL Padding Oracle Information Disclosure (CVE-2016-210).
After disabling this protection resolves the issue.
Regards,
R.B
IPS update has been replaced. It is now safe to update.
Hello
First question: in which package is the IPS protection CPAI-2016-0349 updated and fixed?
Second question: why is not an official advisory regarding this issue? Impact has been huge
Regards
Anyone having this update propagate?
I'm mashing update and still 635204548.
Just FYI
Due to the high performance impact this will affect customers with a "strict" or custom IPS profile only:
Oddly enough my colleague's lab system has this very protection as "low confidence"
Yeah, that was a nasty one.
Check Point has finally released sk167939 which describes the issue and solution.
It also outlines that Check Point will improve their QA testing.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY