- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: Inspection Settings Exception "install on" gat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inspection Settings Exception "install on" gateway missing
I've got an internal departmental firewall. I need to create an Inspection Settings Exception for a particular TCP inspection, but when I try to create the exception, in the "Install On" selection this particular departmental firewall is not listed. I do not yet have Threat Prevention/IPS enabled on this departmental FW. Is that why this gateway does not show up in the inspection settings exception "install on"?
Thanks.
Q
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I can confirm the issue exists. Thank you for reporting it.
We will investigate and fix the issue as part of the JHFs.
I will update here once we know what JHFs will include the fix.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, are you sure it is an Inspection Setting and not a Core Activation (shield w/ firewall icon)? There is a known issue that sounds just like your problem: sk168474: Gateways disappear from IPS Core protections list. This is mentioned in my IPS Immersion course which is in the process of being updated for R80.40 and adding AV, ABOT, and HTTPS Inspection coverage.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sk168474 was solved and the fix is included in:
- Jumbo Hotfix Accumulator for R81 starting from Take 10
- Jumbo Hotfix Accumulator for R80.40 starting from Take 87
- Jumbo Hotfix Accumulator for R80.30 starting from Take 221
- Jumbo Hotfix Accumulator for R80.20 starting from Take 187
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Tim. Nope, it's a wrench icon which is supposed to be Inspection Settings I believe...?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes a wrench icon is Inspection Settings. The gateway in question isn't R77.30 or earlier is it? Inspection Settings were part of IPS in that version and IPS must be enabled on that gateway to configure and utilize them. On R80.10 and later gateways Inspection Settings are completely part of the Access Control policy, and should be able to be applied on any gateway that has the "Firewall" blade enabled regardless of IPS activation state.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tim, thanks. Okay, I thought that Inspection Settings were separate from IPS now, so that's why I'm puzzled. R81 for mgmt, and R80.10 and R80.30 for the firewalls, because I actually have multiple departmental firewalls with this same issue in which "install on" doesn't show the firewalls.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to reproduce this in my lab and you are right, when creating an Inspection Settings exception any gateway that does not have the IPS blade enabled won't appear as selectable in the Install On field. This is the case under both R80.40 and R81 management, so it is not a visual glitch in the SmartConsole GUI on R81. To me there is no clear technical reason why this would be the case as Inspection Settings are supposedly fully part of the Access Control blade in R80.10+, but there may be some obscure limitation concerning Inspection Settings exceptions that still require some kind of hook through the IPS blade since Inspection Settings were once a part of that.
This is the kind of limitation I'd expect to see for exceptions concerning the oddball 39 Core Activations, but exceptions can be added for those regardless of IPS blade status no problem. In my opinion the ability to create Inspection Settings exceptions on gateways where IPS is disabled is being improperly blocked by the SmartConsole GUI, and this limitation does not seem to be documented anywhere that I can find. Tagging @Dorit_Dor.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested this on both R80.40 and R81 without ips blade on and it worked just fine, I can see gateway listed there in drop down menu when creating an exception. Though, as @Dorit_Dor mentioned in her response, I do have jumbo takes higher than what sk references, so its possible thats why it worked, not sure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My original testing was for R80.40 vanilla, just loaded the latest Take 120 and it still acts exactly the same: IPS must be enabled for the gateway to be selected when adding an Inspection Settings exception. Try it in the R80.40 or R81 SmartConsole in demo mode and you'll see what I mean, just be sure to publish (and perhaps Install Database) any time the state of IPS is toggled.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I totally know what you mean :-). I did it with IPS DISABLED and worked perfectly fine, no issues, I can see column to install on with gateway Im testing with.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I can confirm the issue exists. Thank you for reporting it.
We will investigate and fix the issue as part of the JHFs.
I will update here once we know what JHFs will include the fix.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To add further to this discussion, I built clean R81.10 lab, as well as upgraded existing lab to R81.10 (one standalone and one distributed) with ips disabled on both and had not seen this problem on either one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks very much everybody for all the responses on this. Appreciate it.
Quentin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A followup question. I don't have an IPS SW subscription for this departmental firewall, but I should at least be able to enable IPS on it if I wanted to as one possible workaround if I wanted to, correct? I'm licensed for IPS, but don't have an IPS subscription on this FW, but IPS should still work as is. Is that correct?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that should work and solve your problem. Without a valid IPS contract I think you will get a warning when installing policy and only the few "out of the box" IPS signatures will work. I'd advise setting it for Detect Only when you get prompted upon enabling it if you aren't going to tune it further.
now available at maxpowerfirewalls.com