This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerry
Mentor
Mentor
‎2019-04-30 03:34 AM
Jump to solution

IPS issue (R80.20) - cannot remove IPS blade from GW object

hi chaps

 

got an interesting one

 

1. object of the GW has IPS enabled, when trying to untick and disable it I cannot seem to save the changes as SmartConsole shout on me as following:

a. "Failed to save object "xxx". A blocking validation error was found: Field InstallTargetIds references invalid object

b. "The current changes to object "xxx" parameters are invalid and therefore will be discarded"

 

and that's all. when "a" occur the only way to move on is to click OK, when done "b" appears.

 

any idea what and why? literally nothnig has changed on that "StandAlone" Appliance since original install of R80.20.

 

ps. cpinfo -y all below (also see enclosed 1.png)

 

[Expert@xxx:0]# cpinfo -y all

This is Check Point CPinfo Build 914000190 for GAIA
[IDA]
No hotfixes..

[CPFC]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[MGMT]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[FW1]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

FW1 build number:
This is Check Point Security Management Server R80.20 - Build 007
This is Check Point's software version R80.20 - Build 047
kernel: R80.20 - Build 047

[SecurePlatform]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[CPinfo]
No hotfixes..

[DIAG]
No hotfixes..

[PPACK]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[CVPN]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[SmartLog]
No hotfixes..

[Reporting Module]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[CPuepm]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[VSEC]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[R77CMP]
HOTFIX_R80_20_JHF_COMP Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC

[R75CMP]
No hotfixes..

[NGXCMP]
No hotfixes..

[EdgeCmp]
No hotfixes..

[SFWCMP]
No hotfixes..

[FLICMP]
No hotfixes..

[SFWR75CMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPUpdates]
BUNDLE_CPINFO Take: 0
BUNDLE_R80.20_SC Take: 101
BUNDLE_R80_20_JUMBO_HF_MAIN Take: 47
BUNDLE_R80_20_JUMBO_HF_MAIN_SC Take: 73

Jerry
Preview file
15 KB
2 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2023-05-15 02:29 PM
In response to Tony_Graham
Jump to solution

Right-click on the gateway object and select "Where Used".  That should help you figure out where the reference to that object is that is blocking you.  My guess is you are referencing that particular gateway for "Install On" in a custom Threat Prevention rule, IPS ThreatCloud exception or possibly even a Core Activations exception.

Geo Policy is not part of IPS starting in R80 (and this feature is now deprecated) but there still may be some remaining hooks to IPS here as I sometimes still notice references to IPS in the logs for Geo Policy drops.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

the_rock
Legend
Legend
‎2023-05-15 03:08 PM
In response to Tony_Graham
Jump to solution

Thats pretty much how it works for any blade, if blade is NOT active, rules will never apply.

Andy

View solution in original post

0 Kudos
22 Replies
Tal_Paz-Fridman
Employee
Employee
‎2019-04-30 04:14 AM
Jump to solution

Hi Jerry,

 

Please go over the Threat Prevention Policy rules [Security Policies > Threat Prevention > Each Threat Prevention Layer] and make sure the Security Gateway with the IPS blade is not directly selected as an Install On target.

If it is, try changing the Install On for each rule so that it is * Policy Targets and then try disabling the IPS blade.

 

HTH

Tal

Jerry
Mentor
Mentor
‎2019-04-30 04:47 AM
In response to Tal_Paz-Fridman
Jump to solution

2.PNG

 

see below Tal. I have never had here any "targets" selected though I don't think this applies to my case.

Now the GW has IPS blade enabled, and after the complete reboot of the GW all seems just fine:

3.PNG

I have really no clue why I couldn't "deselect" blade on GW object and save it 1h ago.

Jerry
Wolfgang
Authority
Authority
‎2019-04-30 05:25 AM
In response to Jerry
Jump to solution

Jerry,

that's magic. Maybee some earth rays or other things in the air are affecting the SMS..

I love our IT job, normally it consist of 0 and 1 but sometimes something between 8) 

Wolfgang

Tony_Graham
Advisor
‎2023-05-15 12:50 PM
In response to Tal_Paz-Fridman
Jump to solution

I am also having problems disabling IPS. Exactly the same situation as the original poster.

 

0 Kudos
the_rock
Legend
Legend
‎2023-05-15 12:56 PM
In response to Tony_Graham
Jump to solution

I remember one time I had this problem ages ago, I changed something in Guidbedit to make it work, but it was more than 10 years ago, so definitely before R80 version. Can you send a screenshot?

Andy

0 Kudos
Tony_Graham
Advisor
‎2023-05-15 01:10 PM
In response to the_rock
Jump to solution

pic1.png

pic2.png

0 Kudos
the_rock
Legend
Legend
‎2023-05-15 01:19 PM
In response to Tony_Graham
Jump to solution

I found some posts where it says to remove scheduled ips updates (if enabled) and also remove from here, IF its enabled

Andy

Screenshot_1.png

Tony_Graham
Advisor
‎2023-05-15 01:29 PM
In response to the_rock
Jump to solution

I don't have anything under Install On other than 'Policy Targets'. Nothing specific. I unchecked IPS updates and now the entire dialog for IPS updates is gone (edit: It seems it changed the focus from Threat Prevention to Updates which is why it disappeared. I had to click back on Threat Prevention>Updates to get back to where I was.)

0 Kudos
Tony_Graham
Advisor
‎2023-05-15 01:36 PM
In response to Tony_Graham
Jump to solution

I have a Geo Policy defined but there is no way to tell it NOT to install on this device I am trying to remove IPS from without impacting the device I don't want to. I can 'view' the items under Gateways but you cannot manipulate them. So you cannot really say, hey don't push Geo Policy to X device, at least I don't know how you would do that. I believe Geo Policy is a part of IPS so that could be what is stopping it from being deactivated.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-15 03:29 PM
In response to Tony_Graham
Jump to solution

Yes, the legacy GeoPolicy requires IPS.
See: https://support.checkpoint.com/results/sk/sk16921

From R80.20 and above, you can use Updatable Objects for various locations in your regular Access Policy.
This does not require IPS.

the_rock
Legend
Legend
‎2023-05-15 02:33 PM
In response to Tony_Graham
Jump to solution

I think what @Timothy_Hall gave makes total sense. Follow those instructions and let us know what gives.

Andy

Timothy_Hall
Legend Legend
Legend
‎2023-05-15 02:29 PM
In response to Tony_Graham
Jump to solution

Right-click on the gateway object and select "Where Used".  That should help you figure out where the reference to that object is that is blocking you.  My guess is you are referencing that particular gateway for "Install On" in a custom Threat Prevention rule, IPS ThreatCloud exception or possibly even a Core Activations exception.

Geo Policy is not part of IPS starting in R80 (and this feature is now deprecated) but there still may be some remaining hooks to IPS here as I sometimes still notice references to IPS in the logs for Geo Policy drops.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Tony_Graham
Advisor
‎2023-05-15 02:53 PM
In response to Timothy_Hall
Jump to solution

Under Objects there was IPS Scheduled Update. I had tried fussing with that earlier based on what Andy suggested,

so I went back and revisited it. I toggled it to 'install on specific' and 'back to Install' on all clicked okay.

Went back and tried to disable IPS and this time it worked. Yay team.

0 Kudos
the_rock
Legend
Legend
‎2023-05-15 02:55 PM
In response to Tony_Graham
Jump to solution

Good job @Tony_Graham 💪💪

0 Kudos
Tony_Graham
Advisor
‎2023-05-15 02:59 PM
In response to the_rock
Jump to solution

So I have an unrelated, related question. If you push a policy that contains IPS, for instance you shotgun out a policy to all gateways, does CP know that since the blade isn't running on that device to just drop the rules or does it get the whole policy but just ignores the bits it cannot enforce. Is there a benefit to pushing different policies since the ruleset would be less complicated?

0 Kudos
the_rock
Legend
Legend
‎2023-05-15 03:08 PM
In response to Tony_Graham
Jump to solution

Thats pretty much how it works for any blade, if blade is NOT active, rules will never apply.

Andy

0 Kudos
Tony_Graham
Advisor
‎2023-05-15 03:09 PM
In response to the_rock
Jump to solution

I assumed that but...you know about assumptions.

(1)
the_rock
Legend
Legend
‎2023-05-15 03:11 PM
In response to Tony_Graham
Jump to solution

Yea, I do know...heard that from a woman long time ago...a**...U...me 🤣🤣

Anyway, will go play some chess now, maybe beat FAKE Magnus Carlsen...aka Chat GPT chess player, where it teleports the queen from nowhere into 3rd dimension and bishop reappears from ancient times to save the game lol

Wolfgang
Authority
Authority
‎2019-04-30 04:28 AM
Jump to solution

Jerry,

we had the same problem last month.

 

0 Kudos
TP_Master
Employee
Employee
‎2019-05-02 11:23 PM
Jump to solution

Conclusion: Don't disable the IPS blade.

Why would you even want to do that? 🙂
Jerry
Mentor
Mentor
‎2019-05-03 01:26 AM
In response to TP_Master
Jump to solution

neva! 😛
Jerry
0 Kudos
Amit_Koren
Participant
‎2020-01-07 02:32 AM
In response to TP_Master
Jump to solution

I needed to disable IPS according to sk163752

I did not have a target in the Install On column of the Threat Prevention policy.

For me, the issue was that the gateway was selected under automatic install after IPS update.

I had to remove the gateway, install database and only then i could uncheck the IPS blade.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events