Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Itzel_Gtz26
Participant

IPS logs with the "Prevent" action do not show packet capture, but IPS "Detect" logs do show it

For all my IPS logs in prevent mode I do not see the option that a Packet capture has been generated, however for some of my logs in detect mode this can be observed, does anyone know why this happens?

In the track part of my IPS policy I do have the Packet Capture option enabled.

0 Kudos
2 Replies
the_rock
Legend
Legend

I never seen that issue in my R81.20 lab, but will check it again tomorrow and let you know. I do recall it in R81.10 though.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend

Note that for Inspection Settings (wrench icon) and Core Activations (shield w/ firewall icon), packet captures will not be taken at all unless the Capture Packets checkbox is explicitly set on the configuration screen of the individual Core Activation or Inspection Setting itself, because these Protections are (more or less) part of the Access Control policy, not the Threat Prevention policy.  The "Packet Capture" track option in the Threat Prevention policy only applies to IPS ThreatCloud protections (shield icon).

In some cases a packet capture will not be present in the logs when it seems there should be; this can be caused in the
following situations as stated in the R81.20 Known Limitations:

All of this is covered in the upcoming Check Point Threat Prevention Specialist (CTPS) course which should be available from Check Point ATCs worldwide in Q3 2024.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events