This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Olga_Kuts
Advisor
‎2018-03-02 05:32 AM

IPS drooped traffic without without specifying a protection name

We observe a strange log of IPS Blade, Gaia R80.10.
The name of the signature is not specified, from "Protection Details" we can see only Severity: Informational. But the action of this unknown protection is prevent, and we do not understand why traffic is dropped.
What could this mean? Can you explain, please?

0 Kudos
9 Replies
Daniel_Taney
Advisor
‎2018-03-02 06:31 AM

Can you post a screenshot of the dropped log entry?

R80 CCSA / CCSE
0 Kudos
Olga_Kuts
Advisor
‎2018-03-02 07:11 AM
In response to Daniel_Taney

Unfortunately, no. A lot of data will need to be drawn, the log after that will not be informative.

0 Kudos
Daniel_Taney
Advisor
‎2018-03-02 07:16 AM
In response to Olga_Kuts

Without seeing the contents of the drop, I'm not sure how helpful anyone can be here. Like Rick said below, it is probably related to a Core Protection drop instead of an IPS drop. The handling of these in R80.10 is a bit different than R77.30. I

You should be able to sanitize the screen shot of IP addresses and such and still have the drop log be relevant and helpful to this discussion. But that's up to you!

R80 CCSA / CCSE
0 Kudos
Daniel_Taney
Advisor
‎2018-03-02 07:17 AM
In response to Olga_Kuts

Sorry, I also forgot to ask: How frequently are these drops happening? Is it easy to reproduce? 

R80 CCSA / CCSE
0 Kudos
RickLin
MVP Gold
MVP Gold
‎2018-03-02 06:56 AM

I think it could be an protection listed in "Core Protection" or "Inspection Settings" profile.

0 Kudos
Daniel_Taney
Advisor
‎2018-03-02 07:00 AM
In response to RickLin

I was thinking the same thing because I ran into this a couple weeks ago and it was a little confusing to figure out where the drop was happening. 

R80 CCSA / CCSE
0 Kudos
RickLin
MVP Gold
MVP Gold
‎2018-03-02 07:14 AM
In response to Daniel_Taney

As I known, IPS have three kinds of Protection Profiles in R80 age.

1.ThreatCloud Protections (Enforce Signatures or Pattern Match)

2.Core Protections(Enforce Protocol Parser)

3.Inspection Settings(low level enforcement engine)

ThreatCloud Protections is applied with Threat Prevention Policy.

Core Protections and Inspection Settings are applied with Access Control Policy.

Gaurav_Pandya
MVP
MVP
‎2018-03-02 07:51 AM

If This Drop traffic is with particular source or destination IP then I would suggest to do fw ctl debug -m fw + drop with affected IP so that we can get some information and find right direction to look.

pankajjain1
Explorer
‎2023-05-23 09:29 PM
In response to Gaurav_Pandya

Hi Guys,

We are also getting IPS prevent logs in r80.40 and informational protection is dropping the traffic without protection name but sorry to say I could not take logs as there was a production issue. So, we have put those source and destination IPs in IPS exception list. Now we are getting detect logs as IPS is bypassed. 

I collected the xml data which I am attaching below. 

 

<?xml version="1.0" encoding="utf-16"?>
<row>
<field name="time" value="2023-05-23T11:39:30Z" resolved="Today, 17:09:30" />
<field name="i_f_dir" value="outbound" icon="Traffic/interface_out" />
<field name="i_f_name" value="eth1-02.82" />
<field name="id" value="b57017d8-9af3-addc-646c-a5f0000000bc" />
<field name="sequencenum" value="3089" />
<field name="policy" value="DC_Customer_Policy" />
<field name="policy_time" value="2023-05-21T04:03:31Z" resolved="21 May 23, 09:33:31" />
<field name="src" value="172.16.222.246" resolved="H_172.16.222.246" isCHKPObject="true" />
<field name="s_port" value="11616" />
<field name="dst" value="172.16.44.11" resolved="ip_172.16.44.11" isCHKPObject="true" />
<field name="service" value="9085" />
<field name="proto" value="6" resolved="TCP (6)" isCHKPObject="false" />
<field name="session_id" value="0x646ca5f0,0xbc,0xd81770b5,0xdcadf39a" />
<field name="source_os" value="AIX" />
<field name="rule_uid" value="da7bb18f-122a-4bb6-ae35-3cc1bad18dff" />
<field name="malware_rule_id" value="2490992B-7065-455B-BB66-D69CB176DA29" />
<field name="reject_id_kid" value="646ca5f0-bb-d81770b5-dcadf39a" />
<field name="ser_agent_kid" value="Microsoft IE 8.0" />
<field name="log_id" value="2" />
<field name="proxy_src_ip" value="172.16.222.246" />
<field name="action" value="Detect" icon="Actions/actionsDetect" />
<field name="smartdefense_profile" value="CB-IPS" />
<field name="type" value="Log" icon="type_log" />
<field name="policy_name" value="DC_Customer_Policy" />
<field name="policy_mgmt" value="ncssmartcenter" />
<field name="db_tag" value="{6A29D923-0909-4A40-9F2C-6260D94C1848}" />
<field name="policy_date" value="2023-05-21T22:47:32Z" resolved="Yesterday, 04:17:32" />
<field name="product" value="IPS" icon="Blades/IPS" />
<field name="orig" value="CB-DC-CP-DMZ-APP-FW1" />
<field name="fservice" value="TCP_9081-9088" />
<field name="product_family" value="Threat" icon="Blades/threat_prevention" />
<field name="resource" value="http://netbanking.canarabank.in/entry/merchantverify" />
<field name="marker" value="@A@@B@1684840366@C@9229766" />
<field name="orig_log_server" value="172.16.39.120" resolved="CB-DC-CP-EVENT-SRV" isCHKPObject="true" uuid="826afd85-52f2-4129-a935-8272425295a1" />
<field name="orig_log_server_ip" value="172.16.39.120" />
<field name="index_time" value="2023-05-23T11:40:52Z" />
<field name="lastUpdateTime" value="1684841970000" />
<field name="lastUpdateSeqNum" value="3089" />
<field name="severity" value="Informational" icon="Levels/Gray_4_0" />
<field name="rounded_sent_bytes" value="0" />
<field name="confidence_level" value="N/A" icon="Levels/Gray_5_0" />
<field name="rounded_bytes" value="0" />
<field name="stored" value="true" />
<field name="rounded_received_bytes" value="0" />
<field name="__interface" value="eth1-02.82" icon="Traffic/interface_out" />
<table name="TP_match_table">
<item row="0">
<field name="layer_name" value="IPS" />
<field name="layer_uuid" value="073CA63F-34EE-40D2-8F77-BC0C9AAFD733" />
<field name="malware_rule_id" value="258579B4-2450-420D-A2B8-75FEDEA8F727" />
<field name="smartdefense_profile" value="CB-IPS" />
</item>
<item row="1">
<field name="layer_uuid" value="53F09FA9-1E81-454B-9772-78BCBF7256A7" />
<field name="malware_rule_id" value="8B88C397-C6ED-D44C-B59A-EF11AFECD4EE" />
<field name="smartdefense_profile" value="CB-ANTIBOT-ANTIVIRUS" />
</item>
</table>
<table name="resource_table">
<item row="0">
<field name="resource" value="http://netbanking.canarabank.in/entry/merchantverify" />
</item>
</table>
</row>

 

 

IPS-Screenshot.docx
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events