Re: IPS blade generates "General Notice: Internal ...

Dilian_Chernev · ‎2019-10-21

Hi guys,

I noticed too many IPS logs with Attack name : General Notice, and Attack Information: Internal Error.

Here is a screenshot :

All sources are internal users going to proxy server, placed in DMZ segment of Checkpoint.

I suspect that this log is generated when a user is rejected/denied access to some URL by the proxy.

There are lot of such events, and I am trying to get rid of them, but cannot Add an exception or stop the protection as there is not such in the DB.

Any recommendations?

Thanks,
Dilian

PhoneBoy · ‎2019-10-23

Recommend involving the TAC here.
"Internal error" usually means something unexpected took place.

Dilian_Chernev · ‎2019-10-30

I figured out why this messages appears..
When a non-authorized users sent request to the proxy, proxy returns "407 proxy authentication" message.
It seems that checkpoint sees this message and generates two logs - one ips prevent (shown above) and one fw reject.

Still, I don't know how to disable those kind of logs, as they are filling logs and overload the smartevent also.

entsupport · ‎2019-10-30

Hello Dilian,

We are also facing the similar issue since last 1 month . Also got it checked with GTAC but they were unable to resolve the issue. We have not enabled any packet capture for bluecoat proxy but still the packet is getting captured and continuously filling up /var/log . Bluecoat proxy is in DMZ subnet .

Attached is the screenshot of the same. Request you to kindly provide with a solution.

GAIA 80.10 version on gateway.

entsupport · ‎2019-11-05

Hello all,

The case is already with TAC but they also cannot identify the root cause. TAC has run the script for deleting tmo files in var/log/spool/mail folder in every 1 hour. Its observed that the cpu utilization reaches 100%. Can anyone help us out to resolve this issue?

Dilian_Chernev · ‎2019-11-05

Is your GW configured as a HTTP/S proxy ?

entsupport · ‎2019-11-06

Yes but we are not using this proxy now. We are using bluecoat proxy as a proxy server for internet access

Dilian_Chernev · ‎2019-11-06

Please try to disable the GW proxy.
I suppose it is causing these problems, even not using it.

entsupport · ‎2019-11-07

I have disabled the Http/https proxy blade yesterday evening & after that not observed general notice issue.

We are continuously monitoring the same for next few days.

Thanks for your support on this issue.

Dilian_Chernev · ‎2019-11-07

Thanks for the feedback.

As I think, this some bug/feature in CP code.
Now I will have to convice the CP TAC to investigate and resolve this

entsupport · ‎2020-01-23

Do you able to convince TAC for this isse?

Chris_Atkinson · ‎2020-01-24

I've seen instances of this type of error typically either where incorrect proxy settings have been set for gateways (itself) or there is a proxy servicing/referencing another proxy (potential lookup loop) occuring.

Recommend validating the proxy settings in the three places they're found:

SmartConsole: Global Properties

SmartConsole: Gateway Properties

GAiA Web UI / CLISH

CCSM R77/R80/ELITE

Dilian_Chernev · ‎2020-01-24

I didn't find any proxy specific settings in Global Properties or Gaia, only in GW - interface, ports only

Are you a member of CheckMates?

IPS blade generates "General Notice: Internal error" logs