I have a virtualized lab on R80.30 T155, based on a MGMT and a single GW, it has a simple permission rule allowing passing all traffic.
The Threat Prevention rule is very simple, scope ANY, OPTIMIZED profile, protections in DETECT, Blades A-BOT, IPS, Threat Emulation and AV enabled, log, Packet capture and forensics, I have generated not only traffic logs but also Threat logs through Check Me (both for network and endpoint) on a machine connected behind the GW and I have generated both traffic and Threat logs so that when I enabe the extension I can analyze them.
The problem I have is that it does not return anything, it does not give me any error in the different phases since I enabled the extension, but it tells me that I have 0 protections without HITS in DETECT for PREVENT, 0 protections with HITS in DETECT for PREVENT and It has recognized no application so it does not generate any profile for me, however the Threat Prevention and App logs are there.
I launch Tailored safe with admin, as super-user.
I have tried to deactivate Blades and reactivate them, put TE, IPS and A-BOT in Detect Only and launch it, put everything back in “according to policy”, reinstall the extension from the repository mentioned by SK, to check that the logs are there and grow,… ..
¿Do i have to enable Smart Event / Smart Event correlation or something else in the SMS?, based on the SK that describes the extension this is no needed.