This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
Employee Employee
Employee
‎2022-04-27 04:42 AM

IOC feed stops working after TP policy install R80.40

Just wondering if anyone else seen this weird behaviour.  And funny enough it only happens in one cluster - others with similar setup do not experience the same problem. 

GW is running R80.40 T156 and we are using IOC feed configured in CLI. After enabling feed all works as expected. But as soon as we push TP policy, feed stops working (meaning users can access sites that should be blocked). If we inactivate/activate feed, it works again - sites are being blocked. Access policy install does not affect it.

We tried:

  • upgrading to T156 from T139
  • changing enforcement balde AB <> AV
  • reduced the list to one entry

But still no joy.

The only suspect could be EVAL (valid) license but that's a very long shot.

Debugging with $FWDIR/bin/ioc_feeder -d -f did not produce any valuable info in log files.

Logs just show accept on access policy but nothing from TP poplicy layer

 

3 Replies
Tobias_Moritz
Advisor
‎2022-04-28 02:34 AM

Good catch! Hard to find, when not tested explicitly, because there is no error message anywere in that case.

I could replicate this on R80.40 JHFT156 as well. However, when I wait until the next regular scheduled ios_feeder run is finished, my test site gets blocked again.

So for me:

  1. feed is working.
  2. TP Policy installed.
  3. feed is not working (at least not enforced - there is no error message)
  4. next scheduled ioc_feeder run is finished (in my case about 15 minutes after TP policy installation)
  5. feed is working again.

Can you verify if the behavior is the same on your side? Have you opened a TAC case yet?

Kaspars_Zibarts
Employee Employee
Employee
‎2022-04-28 02:50 AM
In response to Tobias_Moritz

Thanks Tobias for checking! Really appreciated!

I'm afraid in our case it remains permanently OFF. Until I manually stop/start IOC feed using state option, i.e.

ioc_feeds modify --feed_name blacklist --state false

ioc_feeds modify --feed_name blacklist --state true

The only strange debug log generated after policy push is this one

image.png

 

Looks like TAC case for me. But yours is not good either! When you have protection off for 15mins! 🙂

0 Kudos
Tobias_Moritz
Advisor
‎2022-04-28 03:33 AM
In response to Kaspars_Zibarts

Okay, so we have different symptoms. I also do not have any error message in debug log.

Your case definitly sounds like TAC-worthy but I agree, that mine is also not okay. Although its 5 minutes and not 15 (was a mistake from me to say so), this should not happen. I think I will also open a TAC case for that.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events