Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dario1
Explorer

IPS - Global domain IPS version is an earlier version than the local domain IPS version

We got R80.40 management server and R80.20 gateway. IPS policy is global threat prevention policy scheduled to update daily. The gateways/cluster IPS is set to "Use management updates" option.

The MDS global assignments for the CMA3 for threat prevention is out of date all the time, Reassign fails with the following error:

Despite the global policy update scheduled to update before the local policy, and the local policy set to get updates from the server to my mind the locap update version should then never be higher then the global IPS protections update on the MDS.

Task: Assign 'Global' to 'CMA3'

Status: Global Domain Assignment Failed: Global domain IPS version (635210105) is an earlier version than the local domain IPS version (635210151). Update the global domain IPS version to the same or higher version than the local domain IPS.

Any specific best practice instructions on the correct/recommended way to update IPS protections via the global policy TP profile would be much appreciated. Tx

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Your message does not include the message you get when reassigning global policy?

0 Kudos
Omri_Raizman
Employee
Employee

Hi 

From the issue described it seems like IPS global database wasn't updated correctly while local ips database is up to date. 

first, can you please describe what is the propose of using schedule update on both CMA and Global domain level ? 

in order to overcome this issue, I would suggest the following: 

1) we need to understand if there were IPS update failures in global level - can you please check the logs and look for failures? 

2) in order to overcome global policy reassignment issue, please follow the sk: 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

if any further assistance is needed, please feel free to send me PM and I will be glad to assist. 

 

 

 

 

 

 

0 Kudos
Dario1
Explorer

Appreciate your responses PhoneBoy, Omri

Just to clarify from the Global Assignments, Reassign part was failling, in the Task Progress list I get:

1) "Global Domain Assignment Failed: Global domain IPS version (635210151) is an earlier version than the local domain IPS version (635210225).
Update the global domain IPS version to the same or higher version than the local domain IPS."

The error is self explanatory, however I could not workout why the global policy intermittently doesnt update or why the gateway had somehow updated when it is configured
not to update automatically but to "Use IPS management updates" as per gateway IPS properties, which is what was then causing local IPS version to be more recent then the global.


I am also getting this second error intermittently when I am the only admin using the global policy, however logging out and back in sometimes fixes this issue so no biggie.

2) Global Domain Assignment Failed: Global Assignment settings are locked for editing by another administrator and need to be published or discarded before the operation can take place.


Omri, in summary we were trying to simplify the IPS updates so that the Global Policy updates are scheduled to check and download the latest protections then to push that out to
all the gateways in each CMA. The gateways are configured to "Use IPS management updates" via the GW IPS profile. However there are clearly different ways of configuring/pushing
IPS updates and I might have "over configured" judging by your reply.

Omri you make a good point "what is the purpose of using schedule update on both CMA and Global domain level ?"
This is probably where I went wrong and over-configured, so I will remove CMA level IPS update and just leave the global policy IPS update schedule, on the gateways will say "Use IPS management updates"
That should hopefully do the job and make sure local IPS update is never more recent then the global scheduled update, so the reassign wont then fail.

Now I got Global Policy / threal prevention / Update / Schedule Update / ticked "Enable IPS scheduled updates on Server and Gateway" / configure - update daily at 22:00
Questions - There is no option to automatically install TP policy to propagate the new protections to the gateways post global scheduled update, does this happen automatically in the background?
Or do I need to manaully reasign at the domain level? Is there any way to automate "Global Assignments" so that post Global IPS scheduled update assigments are upto date with no manual intervention?


Gents, thanks for your help and patience. Tx Dario

 

0 Kudos
PEO
Participant

Any comments/updates to Darios request: Is there any way to automate "Global Assignments" so that post Global IPS scheduled update assignments are up to date with no manual intervention?

 

0 Kudos
Tomer_Noy
Employee
Employee

@Dario1, can you share the motivation of using the "Use Management updates" option?

Starting from R80.20, gateways can fetch IPS updates independently. This is the recommended way of using IPS updates since it provides much faster protection on the gateways from new threats, without waiting for a policy installation.

Another significant benefit is that the Management doesn't need to push the protections to all gateways during policy installation, and you don't need to perform assign-global-policy after every IPS update in the global level.

You can continue to manage exceptions and granular activation in the global policy, but those changes are usually much less frequent than IPS updates.

0 Kudos