This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lcorrea
Explorer
‎2020-08-06 02:58 PM
Jump to solution

IPS dropping legitimate traffic

Hi Everyone,

 

I hope you can help me out sorting this one out, basically we have some VPN users that are trying to access a SQL database via MySQL Workbench and the IPS is for some reason dropping the traffic, from the debugs this is what I can see:

 

@;184396671;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 10.203.125.10:19993 -> 10.88.23.34:3306 dropped by fwpslglue_chain Reason: PSL Reject: INSPECT_STREAMING_0;

 

However I have been unable to find much information in regards to the drop reason.

 

Have you ever seen something like that or know what may be causing it?

 

Thanks in advanced for the assistance provided.

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-08-09 11:32 AM
Jump to solution

1) Use an IPS exception rule to allow the traffic for the IP (MySQL Server).

If this does not help, you can disable passive streaming (PSLXL) in SecureXL path  for the IP with fast acceleration.

2) The fast acceleration feature lets you define trusted connections to allow bypassing deep packet inspection on R80.20 JHF103 and above gateways. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption. More here: R80.x - Performance Tuning Tip - SecureXL Fast Accelerator in R80.20 JHF103

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
5 Replies
MartinTzvetanov
Advisor
‎2020-08-07 06:16 AM
Jump to solution

What does IPS log say in SmartConsole?

0 Kudos
lcorrea
Explorer
‎2020-08-10 07:35 AM
In response to MartinTzvetanov
Jump to solution

Hi Martin,

 

Attached is what I'm getting on SmartConsole.

 

Leo.

 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2020-08-09 11:32 AM
Jump to solution

1) Use an IPS exception rule to allow the traffic for the IP (MySQL Server).

If this does not help, you can disable passive streaming (PSLXL) in SecureXL path  for the IP with fast acceleration.

2) The fast acceleration feature lets you define trusted connections to allow bypassing deep packet inspection on R80.20 JHF103 and above gateways. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption. More here: R80.x - Performance Tuning Tip - SecureXL Fast Accelerator in R80.20 JHF103

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
lcorrea
Explorer
‎2020-08-10 07:37 AM
In response to HeikoAnkenbrand
Jump to solution

Hi Heiko,

 

Ideally I would want to avoid IPS exception as the source is all our VPN pool and the destination is our SQL databases so we would leave our SQL databases without IPS protection against VPN users.

 

Leo.

0 Kudos
Avi_Bechor
Employee
Employee
‎2020-08-09 11:20 PM
Jump to solution

Hi,

Thank you for the inquiry. Reached our using a private message to further understand this specific case and assist.

 

Thanks,

Avi

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top