Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Olga_Kuts
Advisor

IPS drooped traffic without without specifying a protection name

We observe a strange log of IPS Blade, Gaia R80.10.
The name of the signature is not specified, from "Protection Details" we can see only Severity: Informational. But the action of this unknown protection is prevent, and we do not understand why traffic is dropped.
What could this mean? Can you explain, please?

0 Kudos
9 Replies
Daniel_Taney
Advisor

Can you post a screenshot of the dropped log entry?

R80 CCSA / CCSE
0 Kudos
Olga_Kuts
Advisor

Unfortunately, no. A lot of data will need to be drawn, the log after that will not be informative.

0 Kudos
Daniel_Taney
Advisor

Without seeing the contents of the drop, I'm not sure how helpful anyone can be here. Like Rick said below, it is probably related to a Core Protection drop instead of an IPS drop. The handling of these in R80.10 is a bit different than R77.30. I

You should be able to sanitize the screen shot of IP addresses and such and still have the drop log be relevant and helpful to this discussion. But that's up to you!

R80 CCSA / CCSE
0 Kudos
Daniel_Taney
Advisor

Sorry, I also forgot to ask: How frequently are these drops happening? Is it easy to reproduce? 

R80 CCSA / CCSE
0 Kudos
RickLin
Advisor
Advisor

I think it could be an protection listed in "Core Protection" or "Inspection Settings" profile.

0 Kudos
Daniel_Taney
Advisor

I was thinking the same thing because I ran into this a couple weeks ago and it was a little confusing to figure out where the drop was happening. 

R80 CCSA / CCSE
0 Kudos
RickLin
Advisor
Advisor

As I known, IPS have three kinds of Protection Profiles in R80 age.

1.ThreatCloud Protections (Enforce Signatures or Pattern Match)

2.Core Protections(Enforce Protocol Parser)

3.Inspection Settings(low level enforcement engine)

ThreatCloud Protections is applied with Threat Prevention Policy.

Core Protections and Inspection Settings are applied with Access Control Policy.

Gaurav_Pandya
Advisor

If This Drop traffic is with particular source or destination IP then I would suggest to do fw ctl debug -m fw + drop with affected IP so that we can get some information and find right direction to look.

pankajjain1
Explorer

Hi Guys,

We are also getting IPS prevent logs in r80.40 and informational protection is dropping the traffic without protection name but sorry to say I could not take logs as there was a production issue. So, we have put those source and destination IPs in IPS exception list. Now we are getting detect logs as IPS is bypassed. 

I collected the xml data which I am attaching below. 

 

<?xml version="1.0" encoding="utf-16"?>
<row>
<field name="time" value="2023-05-23T11:39:30Z" resolved="Today, 17:09:30" />
<field name="i_f_dir" value="outbound" icon="Traffic/interface_out" />
<field name="i_f_name" value="eth1-02.82" />
<field name="id" value="b57017d8-9af3-addc-646c-a5f0000000bc" />
<field name="sequencenum" value="3089" />
<field name="policy" value="DC_Customer_Policy" />
<field name="policy_time" value="2023-05-21T04:03:31Z" resolved="21 May 23, 09:33:31" />
<field name="src" value="172.16.222.246" resolved="H_172.16.222.246" isCHKPObject="true" />
<field name="s_port" value="11616" />
<field name="dst" value="172.16.44.11" resolved="ip_172.16.44.11" isCHKPObject="true" />
<field name="service" value="9085" />
<field name="proto" value="6" resolved="TCP (6)" isCHKPObject="false" />
<field name="session_id" value="0x646ca5f0,0xbc,0xd81770b5,0xdcadf39a" />
<field name="source_os" value="AIX" />
<field name="rule_uid" value="da7bb18f-122a-4bb6-ae35-3cc1bad18dff" />
<field name="malware_rule_id" value="2490992B-7065-455B-BB66-D69CB176DA29" />
<field name="reject_id_kid" value="646ca5f0-bb-d81770b5-dcadf39a" />
<field name="ser_agent_kid" value="Microsoft IE 8.0" />
<field name="log_id" value="2" />
<field name="proxy_src_ip" value="172.16.222.246" />
<field name="action" value="Detect" icon="Actions/actionsDetect" />
<field name="smartdefense_profile" value="CB-IPS" />
<field name="type" value="Log" icon="type_log" />
<field name="policy_name" value="DC_Customer_Policy" />
<field name="policy_mgmt" value="ncssmartcenter" />
<field name="db_tag" value="{6A29D923-0909-4A40-9F2C-6260D94C1848}" />
<field name="policy_date" value="2023-05-21T22:47:32Z" resolved="Yesterday, 04:17:32" />
<field name="product" value="IPS" icon="Blades/IPS" />
<field name="orig" value="CB-DC-CP-DMZ-APP-FW1" />
<field name="fservice" value="TCP_9081-9088" />
<field name="product_family" value="Threat" icon="Blades/threat_prevention" />
<field name="resource" value="http://netbanking.canarabank.in/entry/merchantverify" />
<field name="marker" value="@A@@B@1684840366@C@9229766" />
<field name="orig_log_server" value="172.16.39.120" resolved="CB-DC-CP-EVENT-SRV" isCHKPObject="true" uuid="826afd85-52f2-4129-a935-8272425295a1" />
<field name="orig_log_server_ip" value="172.16.39.120" />
<field name="index_time" value="2023-05-23T11:40:52Z" />
<field name="lastUpdateTime" value="1684841970000" />
<field name="lastUpdateSeqNum" value="3089" />
<field name="severity" value="Informational" icon="Levels/Gray_4_0" />
<field name="rounded_sent_bytes" value="0" />
<field name="confidence_level" value="N/A" icon="Levels/Gray_5_0" />
<field name="rounded_bytes" value="0" />
<field name="stored" value="true" />
<field name="rounded_received_bytes" value="0" />
<field name="__interface" value="eth1-02.82" icon="Traffic/interface_out" />
<table name="TP_match_table">
<item row="0">
<field name="layer_name" value="IPS" />
<field name="layer_uuid" value="073CA63F-34EE-40D2-8F77-BC0C9AAFD733" />
<field name="malware_rule_id" value="258579B4-2450-420D-A2B8-75FEDEA8F727" />
<field name="smartdefense_profile" value="CB-IPS" />
</item>
<item row="1">
<field name="layer_uuid" value="53F09FA9-1E81-454B-9772-78BCBF7256A7" />
<field name="malware_rule_id" value="8B88C397-C6ED-D44C-B59A-EF11AFECD4EE" />
<field name="smartdefense_profile" value="CB-ANTIBOT-ANTIVIRUS" />
</item>
</table>
<table name="resource_table">
<item row="0">
<field name="resource" value="http://netbanking.canarabank.in/entry/merchantverify" />
</item>
</table>
</row>

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events