Solved: Re: Inspection Settings Exception "install on" gat... - Check Point CheckMates
Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Quentin_Antrim
Participant
Jump to solution

Inspection Settings Exception "install on" gateway missing

I've got an internal departmental firewall.   I need to create an Inspection Settings Exception for a particular TCP inspection, but when I try to create the exception, in the "Install On" selection this particular departmental firewall is not listed.   I do not yet have Threat Prevention/IPS enabled on this departmental FW.   Is that why this gateway does not show up in the inspection settings exception "install on"?

Thanks.

Q

1 Solution

Accepted Solutions
Alon_Alapi
Employee Alumnus
Employee Alumnus

Hi,

I can confirm the issue exists. Thank you for reporting it. 

We will investigate and fix the issue as part of the JHFs.

I will update here once we know what JHFs will include the fix.

 

View solution in original post

14 Replies
Timothy_Hall
Legend Legend
Legend

Hmm, are you sure it is an Inspection Setting and not a Core Activation (shield w/ firewall icon)?  There is a known issue that sounds just like your problem:   sk168474: Gateways disappear from IPS Core protections list.  This is mentioned in my IPS Immersion course which is in the process of being updated for R80.40 and adding AV, ABOT, and HTTPS Inspection coverage.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Dorit_Dor
Employee
Employee

Sk168474 was solved and the fix is included in:

 

Quentin_Antrim
Participant

Thanks Tim.  Nope, it's a wrench icon which is supposed to be Inspection Settings I believe...?

Timothy_Hall
Legend Legend
Legend

Yes a wrench icon is Inspection Settings.  The gateway in question isn't R77.30 or earlier is it?  Inspection Settings were part of IPS in that version and IPS must be enabled on that gateway to configure and utilize them.  On R80.10 and later gateways Inspection Settings are completely part of the Access Control policy, and should be able to be applied on any gateway that has the "Firewall" blade enabled regardless of IPS activation state.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Quentin_Antrim
Participant

Tim, thanks.   Okay, I thought that Inspection Settings were separate from IPS now, so that's why I'm puzzled.   R81 for mgmt, and R80.10 and R80.30 for the firewalls, because I actually have multiple departmental firewalls with this same issue in which "install on" doesn't show the firewalls.

Timothy_Hall
Legend Legend
Legend

I was able to reproduce this in my lab and you are right, when creating an Inspection Settings exception any gateway that does not have the IPS blade enabled won't appear as selectable in the Install On field.  This is the case under both R80.40 and R81 management, so it is not a visual glitch in the SmartConsole GUI on R81.  To me there is no clear technical reason why this would be the case as Inspection Settings are supposedly fully part of the Access Control blade in R80.10+, but there may be some obscure limitation concerning Inspection Settings exceptions that still require some kind of hook through the IPS blade since Inspection Settings were once a part of that.

This is the kind of limitation I'd expect to see for exceptions concerning the oddball 39 Core Activations, but exceptions can be added for those regardless of IPS blade status no problem.  In my opinion the ability to create Inspection Settings exceptions on gateways where IPS is disabled is being improperly blocked by the SmartConsole GUI, and this limitation does not seem to be documented anywhere that I can find.  Tagging @Dorit_Dor.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

I tested this on both R80.40 and R81 without ips blade on and it worked just fine, I can see gateway listed there in drop down menu when creating an exception. Though, as @Dorit_Dor mentioned in her response, I do have jumbo takes higher than what sk references, so its possible thats why it worked, not sure.

Timothy_Hall
Legend Legend
Legend

My original testing was for R80.40 vanilla, just loaded the latest Take 120 and it still acts exactly the same: IPS must be enabled for the gateway to be selected when adding an Inspection Settings exception.  Try it in the R80.40 or R81 SmartConsole in demo mode and you'll see what I mean, just be sure to publish (and perhaps Install Database) any time the state of IPS is toggled.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

I totally know what you mean :-). I did it with IPS DISABLED and worked perfectly fine, no issues, I can see column to install on with gateway Im testing with.

Alon_Alapi
Employee Alumnus
Employee Alumnus

Hi,

I can confirm the issue exists. Thank you for reporting it. 

We will investigate and fix the issue as part of the JHFs.

I will update here once we know what JHFs will include the fix.

 

the_rock
Legend
Legend

To add further to this discussion, I built clean R81.10 lab, as well as upgraded existing lab to R81.10 (one standalone and one distributed) with ips disabled on both and had not seen this problem on either one.

Quentin_Antrim
Participant

Thanks very much everybody for all the responses on this.   Appreciate it.

Quentin

 

Quentin_Antrim
Participant

A followup question.   I don't have an IPS SW subscription for this departmental firewall, but I should at least be able to enable IPS on it if I wanted to as one possible workaround if I wanted to, correct?   I'm licensed for IPS, but don't have an IPS subscription on this FW, but IPS should still work as is.  Is that correct?

Thanks.

Timothy_Hall
Legend Legend
Legend

Yes that should work and solve your problem.  Without a valid IPS contract I think you will get a warning when  installing policy and only the few "out of the box" IPS signatures will work.  I'd advise setting it for Detect Only when you get prompted upon enabling it if you aren't going to tune it further.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events