Re: IPS logs with the "Prevent" action do not show...

Itzel_Gtz26 · ‎2024-03-26

For all my IPS logs in prevent mode I do not see the option that a Packet capture has been generated, however for some of my logs in detect mode this can be observed, does anyone know why this happens?

In the track part of my IPS policy I do have the Packet Capture option enabled.

the_rock · ‎2024-04-25

I never seen that issue in my R81.20 lab, but will check it again tomorrow and let you know. I do recall it in R81.10 though.

Andy

Timothy_Hall · ‎2024-04-26

Note that for Inspection Settings (wrench icon) and Core Activations (shield w/ firewall icon), packet captures will not be taken at all unless the Capture Packets checkbox is explicitly set on the configuration screen of the individual Core Activation or Inspection Setting itself, because these Protections are (more or less) part of the Access Control policy, not the Threat Prevention policy. The "Packet Capture" track option in the Threat Prevention policy only applies to IPS ThreatCloud protections (shield icon).

In some cases a packet capture will not be present in the logs when it seems there should be; this can be caused in the
following situations as stated in the R81.20 Known Limitations:

The detection occurred in the Check Point ThreatCloud (i.e. not locally on the gateway due to its own cache)
There have been rapid successive, identical matches against a single IPS ThreatCloud protection, and log suppression has kicked in: sk115876: Some fields are missing from IPS or Threat Prevention logs & Max Gander: The Hidden World of Log Generation and Log Suppression at Check Point
The Anti-Virus Deep Scan engine portion of the firewall made the determination (NEVER, EVER TURN ON DEEP SCANNING!)
The connection was SSL/TLS encrypted by the firewall
If multiple Detect actions occur and are logged separately for the same connection, only one of those Detect logs will
have the capture available for viewing as described here: sk180652: Missing packet captures in some IPS logs, for protections with packet capture enabled
Quantum Spark appliances (models 600-2000) do not support the packet capture capability at all, see sk178604: Check Point R81.10.X for 1500, 1600, 1800, 1900, and 2000 appliance Known Limitations.
Note that it is possible to leverage this packet capturing feature to take “triggered” captures of arbitrary traffic that
doesn’t necessarily contain a threat, for information about this setup see the following CheckMates article by yours truly:
Max Capture Update 1: Taking “Triggered” Packet Captures)

All of this is covered in the upcoming Check Point Threat Prevention Specialist (CTPS) course which should be available from Check Point ATCs worldwide in Q3 2024.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Are you a member of CheckMates?

IPS logs with the "Prevent" action do not show packet capture, but IPS "Detect" logs do show it