Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dilian_Chernev
Collaborator

IPS blade generates "General Notice: Internal error" logs

Hi guys,

I noticed too many IPS logs with Attack name : General Notice, and Attack Information: Internal Error.

Here is a screenshot :

r80_ips_general_notice_internal_error-b.png

 

All sources are internal users going to proxy server, placed in DMZ segment of Checkpoint.

I suspect that this log is generated when a user is rejected/denied access to some URL by the proxy.

There are lot of such events, and I am trying to get rid of them, but cannot Add an exception or stop the protection as there is not such in the DB.

Any recommendations?

Thanks,
Dilian

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Recommend involving the TAC here.
"Internal error" usually means something unexpected took place.
0 Kudos
Dilian_Chernev
Collaborator

I figured out why this messages appears..
When a non-authorized users sent request to the proxy, proxy returns "407 proxy authentication" message.
It seems that checkpoint sees this message and generates two logs - one ips prevent (shown above) and one fw reject.

Still, I don't know how to disable those kind of logs, as they are filling logs and overload the smartevent also.
0 Kudos
entsupport
Explorer

Hello Dilian,

 

We are also facing the similar issue since last 1 month . Also got it checked with GTAC but they were unable to resolve the issue. We have not enabled any packet capture for bluecoat proxy but still the packet is getting captured and continuously filling up /var/log . Bluecoat proxy is in DMZ subnet .

 

Attached is the screenshot of the same. Request you to kindly provide with a solution. 

GAIA 80.10 version on gateway.

0 Kudos
entsupport
Explorer

Hello all,

The case is already with TAC but they also cannot identify the root cause. TAC has run the script for deleting tmo files in var/log/spool/mail folder in every 1 hour. Its observed that the cpu utilization reaches 100%. Can anyone help us out to resolve this issue?

0 Kudos
Dilian_Chernev
Collaborator

Is your GW configured as a HTTP/S proxy ?
0 Kudos
entsupport
Explorer

Yes but we are not using this proxy now. We are using bluecoat proxy as a proxy server for internet access

0 Kudos
Dilian_Chernev
Collaborator

Please try to disable the GW proxy.
I suppose it is causing these problems, even not using it.
entsupport
Explorer

I have disabled the Http/https proxy blade yesterday evening & after that not observed general notice issue.

We are continuously monitoring the same for next few days. 

Thanks for your support on this issue. 

0 Kudos
Dilian_Chernev
Collaborator

Thanks for the feedback.

As I think, this some bug/feature in CP code.
Now I will have to convice the CP TAC to investigate and resolve this

0 Kudos
entsupport
Explorer

Do you able to convince TAC for this isse?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

I've seen instances of this type of error typically either where incorrect proxy settings have been set for gateways (itself) or there is a proxy servicing/referencing another proxy (potential lookup loop) occuring.

Recommend validating the proxy  settings in the three places they're found:

SmartConsole: Global Properties

SmartConsole: Gateway Properties

GAiA Web UI / CLISH

 

CCSM R77/R80/ELITE
0 Kudos
Dilian_Chernev
Collaborator

I didn't find any proxy specific settings in Global Properties or Gaia, only in GW - interface, ports only

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events